CN111079271B - Industrial information physical system attack detection method based on system residual fingerprint - Google Patents
Industrial information physical system attack detection method based on system residual fingerprint Download PDFInfo
- Publication number
- CN111079271B CN111079271B CN201911210841.4A CN201911210841A CN111079271B CN 111079271 B CN111079271 B CN 111079271B CN 201911210841 A CN201911210841 A CN 201911210841A CN 111079271 B CN111079271 B CN 111079271B
- Authority
- CN
- China
- Prior art keywords
- residual
- attack
- data
- model
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 24
- 238000000034 method Methods 0.000 claims abstract description 42
- 238000005070 sampling Methods 0.000 claims abstract description 18
- 230000009545 invasion Effects 0.000 claims abstract description 7
- 238000001914 filtration Methods 0.000 claims abstract description 4
- XLYOFNOQVPJJNP-UHFFFAOYSA-N water Substances O XLYOFNOQVPJJNP-UHFFFAOYSA-N 0.000 claims description 46
- 238000002347 injection Methods 0.000 claims description 12
- 239000007924 injection Substances 0.000 claims description 12
- 239000011159 matrix material Substances 0.000 claims description 12
- 238000005259 measurement Methods 0.000 claims description 8
- 230000015572 biosynthetic process Effects 0.000 claims description 4
- 238000003786 synthesis reaction Methods 0.000 claims description 4
- 230000014509 gene expression Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 2
- 238000007781 pre-processing Methods 0.000 claims description 2
- 238000004904 shortening Methods 0.000 claims 1
- 230000002194 synthesizing effect Effects 0.000 claims 1
- 238000004891 communication Methods 0.000 description 6
- 238000002474 experimental method Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000006378 damage Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000007123 defense Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 238000013179 statistical model Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000035772 mutation Effects 0.000 description 1
- 238000001308 synthesis method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- G06F17/10—Complex mathematical operations
- G06F17/11—Complex mathematical operations for solving equations, e.g. nonlinear equations, general mathematical optimization problems
- G06F17/12—Simultaneous equations, e.g. systems of linear equations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Theoretical Computer Science (AREA)
- Pure & Applied Mathematics (AREA)
- Mathematical Analysis (AREA)
- Software Systems (AREA)
- Mathematical Optimization (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computational Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Operations Research (AREA)
- Algebra (AREA)
- Databases & Information Systems (AREA)
- Collating Specific Patterns (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An industrial information physical system attack detection method based on system residual fingerprints comprises the following steps: firstly, constructing a system physical model, giving out a state space equation of the system physical model, and acquiring data of the system in normal operation after the model is determined; secondly, obtaining each coefficient in a state space equation by a system identification method; thirdly, injecting a non-zero constant on the basis of target data to implement internal attack in a false data invasion form; fourthly, predicting the system state at the next moment by using Kalman filtering, obtaining the general form of a synthetic model of a system residual error, and detecting malicious attack by using synthetic residual error fingerprints; and fifthly, further sampling residual fingerprints under the intrusion attack of the decimal false data, and amplifying the variation of the residual fingerprints. The invention accurately detects the attack to the industrial information physical system by utilizing the system residual fingerprint and combining with a new sampling method, and improves the real-time performance of attack detection.
Description
Technical Field
The invention belongs to the field of industrial control system safety, and relates to a system residual fingerprint synthesis method, a data sampling method and a water level control experiment platform.
Background
The conventional Industrial Control System (ICS) has communication limited to the internal devices because it is not connected to the network space. With the acceleration of industrialization and informatization processes, modern industrial infrastructures have a wide-range and widely-distributed trend, and communication networks are introduced into ICS, so that physical processes can be remotely monitored by using the communication networks, and thus, new industrial information physical systems (ICPS) are evolved. External communication networks must bring vulnerabilities and backdoors that are easily exploited by hackers, resulting in an increased risk of ICPS being subject to malicious attacks. Malicious attacks may lead to degraded ICPS performance and physical equipment damage, even causing system crashes, resulting in serious economic losses. For the attack from the inside of the system, the attack is generally an internal person, has knowledge of a system model and a system dynamic equation, and can directly obtain the sensor data, so that the internal attacker does not need to enter a network layer, can skip the network layer, and can launch a malicious attack, thereby causing serious harm to the system.
The infrastructure and equipment related to ICPS are not only closely related to people's daily lives, but also related to social and national security. Therefore, how to improve the security of ICPS and today's network security are not just personal information security, but social, even national security is affected. Therefore, how to improve the defensive ability of ICPS against attacks is a great importance of researchers at present.
In an industrial control system, the data of normal operation of the system are not separated accurately, and once the data is tampered, the system is far from a steady state and even crashes. For attacks from inside the system, the purpose of the attacker is to minimize the possibility of the attack being detected under the condition of the greatest damage to the system as possible, but the existing ICPS attack defense method cannot detect the attack from inside the system, so that the attacker can bypass physical isolation and software isolation to obtain system data, such as sensor readings, and initiate various malicious attacks, such as false data injection, hidden attacks and the like. As far as the defending party is concerned, the current attack detection methods for ICPS can be generally classified into two categories: network domain methods and physical domain methods. The network domain method captures data packets through a conventional Intrusion Detection System (IDS) and checks for traffic anomalies. The physical domain method is to build a physical model of the system, compare the predicted value of the network model with the perceived value in the physical model through analysis of the physical characteristics, and find out potential attack. While the network domain approach ignores the physical feature information important to ICPS, the physical domain approach, particularly the device fingerprint-based approach, while helping to improve the ICPS's ability to defend against external attacks, is still unable to defend against attacks from within the system. Therefore, a defense method against ICPS internal attacks is urgently needed.
The water level control system has the basic characteristics of ICPS, under the background of the existing safety problem of the ICPS, the invention introduces the concept of residual fingerprints of the system in terms of control, takes the water level control system as an experimental platform, implements internal attacks in false data invasion form on the water level control system, changes the measurement value of a sensor, deceives the controller, and uses a method based on residual fingerprints to detect the attacks in simulation.
Disclosure of Invention
In order to further understand the attack and detection modes of ICPS, the invention provides a fingerprint attack detection method based on a system residual error, and the system is far away from a stable state by falsifying communication data between a sensor and a controller through false data invasion; and detecting the existence of the attack by using the residual fingerprints of the system through a simulation experiment.
In order to achieve the above effects, the invention adopts the following technical scheme:
an industrial information physical system attack detection method based on system residual fingerprints comprises the following steps:
step 1, a physical model is constructed for a water level control system, and a state space equation is given, wherein the water level control system is taken as a typical linear time-varying system, and the system input and the system output are connected, so that under the condition that the sensor reading and the controller signal are known, the following linear dynamic state space model is constructed
Wherein A, B and C are system matrixes,and->Representing process noise and sensor noise, respectively, and both being independently subject to a gaussian distribution, at a certain discrete moment +.>The state of the system is->The state of the next momentFrom the current state and the current control quantity->Decision (S)>For the observation signals corresponding to the state quantity, namely the sensor output, after determining the model, acquiring data of the water level control system in normal operation;
step 2, obtaining each coefficient in a state space equation by a system identification method: under the condition of knowing the transmission format of the data, preprocessing the acquired data, and obtaining each coefficient in the formula (1) through a system identification method;
step 3, implementing internal attack in false data invasion form: further operating the obtained data, and injecting a non-zero constant into the target data based on the target data to obtain target data under attackThe form is as follows:
wherein y (k) is data transmitted between the sensor and the controller during normal operation of the system, delta is attack quantity added at a certain moment k, and is a non-zero constant, and three attack quantity numerical selection are given:
step 4, predicting the system state at the next moment by using Kalman filtering, obtaining a general form of a system residual error synthesis model, and detecting malicious attack by adopting synthesized residual error fingerprints;
and step 5, further sampling residual fingerprints under the injection attack of the decimal false data by using the sampling method, and amplifying the change of the residual fingerprints.
Further, in the step 4, the step of obtaining the system residual fingerprint by using the kalman filter is as follows:
4.1 for a linear time-varying system given by equation (1), the prediction and update procedure for the kalman filter is as follows:
4.1.1 prediction step:
P - (k+1)=AP(k)A T +ΓQ(k)Γ T (5)
wherein,and->The prior state at the time of k+1 and the posterior state at the time of k are respectively represented;and->Prediction error prior covariance matrix and posterior covariance matrix representing k+1 time and k time,/>A covariance matrix representing the process noise w (k), whereby the desired output of the next instant of the kalman filter prediction is +.>Is that
4.1.2 updating step: once the system output y (k+1) at the next instant is determined, the update step of the kalman filter is expressed as:
wherein,is Kalman gain matrix, I is identity matrix,>is the covariance matrix of the measured noise eta (k);
4.2 derivation of residual fingerprint model as follows:
4.2.1 general expression of system residuals with respect to process noise and metrology noise: defining a state error function e (k):
further waiting to more general state error expressions
And have residual error r (k) 2R n Definition of the definition
Further deriving a function of the system residual with respect to process noise and measurement noise
4.2.2 fingerprint modelThe method comprises the following steps: using the formula (11) as a residual fingerprint synthesis statistical model, using process noise and measurement noise as an input set X of the model, and using a residual set as an output fingerprint set
Still further, in the step 5, the sampling method is as follows: for tiny values of spurious data injected by high-level aggressors, the residual in equation (10) becomes:
r′(k)=Ce(k)+η(k)+δ(k) (13)
from the above equation, it is considered that malicious attacks of adversary's injection are directly added to the measured noise, i.e
η′(k):=η(k)+δ(k) (14)
The further input and output set of fingerprint models becomes:
order theRepresenting the residual difference sequence, the following sampling method is proposed:
the beneficial effects of the invention are mainly shown in the following steps: during normal operation of the ICPS, an attacker, usually an internal person, carries out malicious attack in the form of false data invasion on the system from the inside, falsifies data and deceives the controller, thereby achieving the purpose of destroying the ICPS and presenting the defect of low security performance of the ICPS. Meanwhile, an attack detection method based on the system residual fingerprints is provided, so that malicious attacks in the system can be effectively detected, false data injection attacks with tiny values can be further detected by using the provided sampling method, the detection time can be shortened, and the instantaneity is improved.
Drawings
Fig. 1 is a schematic view of a water level control platform.
Fig. 2 is a flowchart of attack detection.
Fig. 3 is a schematic diagram of a dummy data intrusion attack against ICPS.
Fig. 4 is a residual fingerprint model generation flow chart.
Fig. 5 is a graph of water level related data during normal operation of the system.
FIG. 6 is a graph comparing water level data at the time of large-value spurious data intrusion with normal water level data.
FIG. 7 is a graph comparing water level data at the time of intrusion of minute-value dummy data with normal water level data.
Fig. 8 is a diagram of residual fingerprint data after sampling.
Detailed Description
In order to make the technical scheme and design thought of the invention clearer, the invention is further described in detail below with reference to the accompanying drawings.
Referring to fig. 1 to 8, an industrial information physical system attack detection method based on system residual fingerprints includes the following steps:
step 1: a physical model is constructed for the water level control system and its state space equation is given. The experiment platform is a three-level water tank water level control system, and the experiment platform mainly comprises a water tank, a controller, a sensor, an actuator and a personal computer. The controller is connected with the sensor and the actuator, and receives the instruction sent by the computer and the sensor measurement data, and sends the control instruction to the actuator after calculation, as shown in fig. 1, a PLC is selected as the controller, a water level sensor is used as the main sensor, an electromagnetic valve and a water pump are used as the actuator, the cross section area of the water tank is set to be 1 square meter, when the system normally operates, the outlet pump keeps working, and the water inlet pump has three working modes: when the water level is 0.2-0.8m, the water inlet pump is in a half-on state, when the water level is reduced to below 0.2m, the water inlet pump is in a full-on state, and when the water level is increased to above 0.8m, the water inlet pump is in a closed state. Overflow occurs at 1.0 m;
step 2, obtaining each coefficient in a state space equation by a system identification method: after the state space of the formula (1) is obtained, each coefficient needs to be determined, and the water tank is considered to be a regular cuboid and can be obtained by a mass balance equation
Wherein DeltaV represents the volume of water in the water tank which increases in a net manner in unit time, S is the cross-sectional area of the water tank, L is the water level of the water tank,is the change of water level in unit time, further, deltaV is expressed as
ΔV=Q in -Q out (18)
Wherein Q is in ,Q out The inflow and outflow of water when the two water pumps are operated simultaneously are shown, and the above formulas are organized as follows:
in the above formula, L (k) is the water level at the current time k, corresponding to x (k) in (1), L (k+1) is the water level at the next time k+1, corresponding to x (k+1) in (1), Q in (k)-Q out (k) As a control input at time k, i.e., u (k), as a result, the respective variables and coefficients of the state equation are x (k) =l (k), x (k+1) =l (k+1), u (k) = [ Q in (k),Q out (k)] T ,A=C=1;
Step 3, implementing internal attack in false data invasion form: fig. 3 shows a schematic diagram of an attack against ICPS dummy data intrusion, the goal of which is to inject a dummy data value δ over the communication link between the sensor and the controller, falsify the normal sensor readings, the choice of spoof controller, δ is shown in equation (3), and different values of the dummy data intrusion attack can be launched depending on the level of the attacker. In order not to be detected by conventional IDS, high-level aggressors designed a zero-alert attack, considering bad data detection:
wherein the method comprises the steps ofFor the predicted value of the water level, alpha is the threshold of the detector, alpha is defined according to the false alarm rate in the tolerable range, and obviously, the goal of an attacker is to guarantee +.>Always less than the threshold α, therefore, there is the following attack sequence
Where ε is a sufficiently small positive constant, an attacker maintains the residual by injecting the attack sequenceThe system is destroyed to the greatest extent for a constant value alpha-epsilon;
step 4, residual fingerprint synthesis and application: according to experience, equipment characteristics and multiple experiments, obtaining process noise and system noise as inputs of a residual fingerprint statistical model (11), and obtaining output as residual fingerprints; the residual fingerprint model generating step is shown in fig. 4, when the system is in normal operation, the actual water level value, the measured value, the Kalman predicted value and the residual fingerprint value are shown in fig. 5, and the fact that the actual water level value, the measured value and the Kalman predicted value are not greatly different can be seen, and further, the residual fingerprint is not obviously changed under normal operation, but only fluctuates within an error range;
considering that an attacker injects large-value dummy data δ=50, as shown in fig. 6, and injects large-value dummy data at 200s at sampling time, to obtain fig. 6 (d), (e) and (f), it can be seen from fig. 6 (d) that there is a significant mutation in the water level measurement value and the actual value at 200s time, because the injection of dummy data causes fraud to the controller, resulting in that the measurement value received by the controller becomesAs shown in fig. 6 (e). Meanwhile, the abnormal residual fingerprint in the figure 6 (f) obviously exceeds the normal error range to reach the detection threshold value at the moment of 200s, so that the existence of internal false data spoofing attack can be intuitively seen;
step 5, sampling method: without loss of generality, consider that a high level attacker injects tiny spurious data δ=5, as shown in fig. 7. Comparing fig. 7 (a) and (d) it can be seen that the minute spurious data injected at 200s time makes the real water level move down a small amount, this change is more obvious in fig. 7 (e), but the objectively existing value of the real water level value in the real scene can only be obtained indirectly through the measured value, and the internal attack cannot be detected directly only through the change of the measured value and the real value due to the existence of the error and the noise. In fact, the residual fingerprint has uniqueness and stability, and any data intrusion attack will change the residual fingerprint. However, note that the residual fingerprint of fig. 7 (f) has no obvious anomaly, and the value thereof does not reach the detection threshold, so that the existence of an attack cannot be explained by only the residual fingerprint of fig. 7 (f);
for this purpose, a sampling method of formula (16) is proposed, and as shown in fig. 8, tiny numerical false data are added at the moments of 100s,200s,350s and 450s respectively. Fig. 8 (a), (b), (c) and (d) are residual fingerprints under attack added at times 100s,200s,350s and 450s in sequence, and it can be clearly seen that the time of attack detection is much earlier than the time of attack injection, as in fig. 8 (c), the internal attack is injected at 350s, but the existence of the attack is detected at about 150 after the oversampling process. In fact, the moment of attack injection and the moment it is detected have the following relationship:
T=N+1-T′ (22)
wherein T is the moment when the internal attack is detected, T' is the attack injection moment, and N is the original sampling time.
It can be seen from fig. 5-8 that the attack detection method based on the system residual fingerprint can detect the internal attack of large-value false data injection or the injection of tiny data, and the effectiveness of the method on the internal attack is fully illustrated. Meanwhile, the sampling method also improves the detection instantaneity of the internal attack.
Claims (3)
1. An industrial information physical system attack detection method based on system residual fingerprints is characterized by comprising the following steps:
step 1, constructing a physical model for a water level control system, providing a state space equation of the physical model, and constructing a linear dynamic state space model as follows
Wherein A, B and C are system matrixes,and->Representing process noise and sensor noise, respectively, and both being independently subject to a gaussian distribution, at a certain discrete moment +.>The state of the system is->The state of the next momentFrom the current state and the current control quantity->Decision (S)>For the observation signals corresponding to the state quantity, namely the sensor output, after determining the model, acquiring data of the water level control system in normal operation;
step 2, preprocessing the acquired data under the condition of knowing the transmission format of the data, and obtaining each coefficient in a system state space equation through a system identification method;
step 3, implementing internal attack in false data invasion form: further operating the obtained data, and injecting a non-zero constant into the target data based on the target data to obtain target data under attackThe form is as follows:
wherein y (k) is data transmitted between the sensor and the controller during normal operation of the system, delta is attack quantity added at a certain moment k, and is a non-zero constant, and three attack quantity numerical selection are given:
step 4, predicting the system state at the next moment by using Kalman filtering, obtaining the general form of a synthetic model of the system residual fingerprint, and detecting malicious attack by adopting the synthetic residual fingerprint;
and step 5, further sampling residual fingerprints under the injection attack of the decimal false data by using the sampling method, amplifying the change of the residual fingerprints, shortening the detection time and improving the detection instantaneity.
2. The method for detecting the attack of the industrial information physical system based on the system residual fingerprints according to claim 1, wherein in the step 4, the step of synthesizing the system residual fingerprints is as follows:
4.1 Kalman filtering prediction step:
P - (k+1)=AP(k)A T +ΓQ(k)Γ T (5)
wherein,and->The prior state at the time of k+1 and the posterior state at the time of k are respectively represented;and->Prediction error prior covariance matrix and posterior covariance matrix representing k+1 time and k time,/>A covariance matrix representing the process noise w (k), whereby the desired output of the next instant of the kalman filter prediction is +.>Is that
4.2 updating: the update step of the kalman filter can be expressed as:
wherein,is Kalman gain matrix, I is identity matrix,>is the covariance matrix of the measured noise eta (k);
4.3 the synthetic deduction steps of the residual fingerprint model are as follows:
4.3.1 first derive a synthetic model of the system residual, defining a state error function e (k):
further waiting to more general state error expressions
And have residual error R (k) 2R n Definition of the definition
Further deriving a function of the system residual with respect to process noise and measurement noise, i.e. fingerprint synthesis model
4.2.2 residual fingerprint generation: process noise and measurement noise are taken as an input set X of a model, and a residual set is taken as an output fingerprint set
3. The industrial information physical system attack detection method based on the system residual fingerprints as set forth in claim 2, wherein the sampling method in the step 5 is as follows:
for tiny-value false data injected by a high-level attacker, the fingerprint model cannot be used for detection, and the system residual becomes:
r′(k)=Ce(k)+η(k)+δ(k) (13)
from the above, we can consider that the malicious attack of adversary's injection is directly imposed on the sensor noise, i.e
η′(k):=η(k)+δ(k) (14)
The further input and output set of fingerprint models becomes:
order theRepresenting the residual difference sequence, the following sampling method is proposed:
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911210841.4A CN111079271B (en) | 2019-12-02 | 2019-12-02 | Industrial information physical system attack detection method based on system residual fingerprint |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911210841.4A CN111079271B (en) | 2019-12-02 | 2019-12-02 | Industrial information physical system attack detection method based on system residual fingerprint |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111079271A CN111079271A (en) | 2020-04-28 |
| CN111079271B true CN111079271B (en) | 2024-03-22 |
Family
ID=70312358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911210841.4A Active CN111079271B (en) | 2019-12-02 | 2019-12-02 | Industrial information physical system attack detection method based on system residual fingerprint |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111079271B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111708350B (en) * | 2020-06-17 | 2022-12-20 | 华北电力大学(保定) | Hidden false data injection attack method for industrial control system |
| CN113778054B (en) * | 2021-09-09 | 2022-06-14 | 大连理工大学 | Double-stage detection method for industrial control system attack |
| CN114063602B (en) * | 2021-11-15 | 2023-12-22 | 沈阳航空航天大学 | Active attack detection method for improving detection rate |
| CN114666153B (en) * | 2022-04-08 | 2022-11-18 | 东南大学溧阳研究院 | False data injection attack detection method and system based on state estimation residual distribution description |
| CN114928497A (en) * | 2022-06-01 | 2022-08-19 | 广东石油化工学院 | Identity authentication method based on multi-granularity features |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108196448A (en) * | 2017-12-25 | 2018-06-22 | 北京理工大学 | False data injection attacks method based on inaccurate mathematical model |
| CN109361678A (en) * | 2018-11-05 | 2019-02-19 | 浙江工业大学 | A kind of intelligent network connection automobile automatic cruising system false data detection method for injection attack |
-
2019
- 2019-12-02 CN CN201911210841.4A patent/CN111079271B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108196448A (en) * | 2017-12-25 | 2018-06-22 | 北京理工大学 | False data injection attacks method based on inaccurate mathematical model |
| CN109361678A (en) * | 2018-11-05 | 2019-02-19 | 浙江工业大学 | A kind of intelligent network connection automobile automatic cruising system false data detection method for injection attack |
Non-Patent Citations (1)
| Title |
|---|
| 虚假数据注入攻击信号的融合估计;翁品迪;自动化学报;20190722;1-8 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111079271A (en) | 2020-04-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111079271B (en) | Industrial information physical system attack detection method based on system residual fingerprint | |
| Ahmed et al. | Noise matters: Using sensor and process noise fingerprint to detect stealthy cyber attacks and authenticate sensors in cps | |
| Ahmed et al. | Noiseprint: Attack detection using sensor and process noise fingerprint in cyber physical systems | |
| Sánchez et al. | Bibliographical review on cyber attacks from a control oriented perspective | |
| Amin et al. | Cyber security of water SCADA systems—Part II: Attack detection using enhanced hydrodynamic models | |
| Amin et al. | Stealthy deception attacks on water SCADA systems | |
| Ahmed et al. | Model-based attack detection scheme for smart water distribution networks | |
| Hosseinzadeh et al. | Feasibility and detection of replay attack in networked constrained cyber-physical systems | |
| Amin et al. | Cyber security of water SCADA systems—Part I: Analysis and experimentation of stealthy deception attacks | |
| CN108803565B (en) | Real-time detection method and device for industrial control system hidden attack | |
| Jardine et al. | Senami: Selective non-invasive active monitoring for ics intrusion detection | |
| CN108196448A (en) | False data injection attacks method based on inaccurate mathematical model | |
| CN108388233B (en) | Industrial control field device hidden attack detection method | |
| Tunga et al. | Tuning windowed chi-squared detectors for sensor attacks | |
| CN107454096B (en) | A kind of wrong report removing method based on log playback | |
| Ahmed et al. | Limitations of state estimation based cyber attack detection schemes in industrial control systems | |
| CN111698257B (en) | Industrial information physical system security detection method for multi-class malicious attacks | |
| Ahmed et al. | Noisense print: detecting data integrity attacks on sensor measurements using hardware-based fingerprints | |
| CN112688946B (en) | Method, module, storage medium, device and system for constructing abnormality detection features | |
| US11886158B2 (en) | System architecture and method of processing data therein | |
| Qadeer et al. | Multistage downstream attack detection in a cyber physical system | |
| Li et al. | Attack detection for cyber-physical systems: A zonotopic approach | |
| Ahmed et al. | Process skew: Fingerprinting the process for anomaly detection in industrial control systems | |
| CN115052304A (en) | GCN-LSTM-based industrial sensor network abnormal data detection method | |
| Hong et al. | $ R $-print: A system residuals-based fingerprinting for attack detection in industrial cyber-physical systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |