CN106330975A - Method for periodic exception detection based on SCADA system - Google Patents
Method for periodic exception detection based on SCADA system Download PDFInfo
- Publication number
- CN106330975A CN106330975A CN201610953812.7A CN201610953812A CN106330975A CN 106330975 A CN106330975 A CN 106330975A CN 201610953812 A CN201610953812 A CN 201610953812A CN 106330975 A CN106330975 A CN 106330975A
- Authority
- CN
- China
- Prior art keywords
- stage
- scada system
- abnormality detection
- detection based
- periodicity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
Abstract
The invention discloses a method for periodic exception detection based on an SCADA system. The method comprises the following steps: through obtaining periodic pulses transmitted in the SCADA system, summarizing data packages, and storing a data stream; obtaining two features about the frequency and size of the periodic pulses through the periodic learning phase, and selecting feature items through comparing the feature items; matching the data stream and the feature items and judging the exception; and sending an alarm. The method is capable of improving the safety of the industrial control network.
Description
Technical field:
The invention belongs to industrial control network field of information security technology, be specifically related to a kind of cycle based on SCADA system
The method of sexual abnormality detection.
Background technology:
SCADA (Supervisory Control And Data Acquisition) i.e. data acquisition and supervisor control.
The application of SCADA system is very wide, all plays important in fields such as petrochemical industry, power system, water supply system, nuclear powers
Effect, Fig. 1 is SCADA system schematic diagram in petrochemical industry Safety Industry.Along with the development of network, SCADA system is also by independence
Network system, proprietary hardware environment, be developing progressively the modular system into open transparent running, and pass through TCP/IP
Communicate Deng computer network with standard network protocol, and in view of the importance of system, its safety problem, increasingly by common concern, is once
Uniting under attack, consequence is probably catastrophic.This is while reducing cost raising efficiency, the peace that SCADA system is faced
Full sex chromosome mosaicism highlights the most day by day.
In the present invention, intruding detection system (IDS) follows the tracks of the very important equipment of malicious act as one.Process known
The mode that invasion threatens is based on identifying misuse or maloperation, and identifies that malicious attack is that the operation behavior that notes abnormalities is
Basis.Abnormality detection mode is to be characterized with the properly functioning of network, identifies deviation, i.e. Deviant Behavior on this basis.Different
Often detecting system is used in from communication protocol to the different aspect processing the SCADA system such as log analysis.
SCADA system is distributed in production environment to monitor and controls various equipment, and in order to reach this target, data need
To obtain from these equipment continuously, therefore will set up the infrastructure environment of a real-time response.Typical side
Formula is: data are obtained by autopolling mechanism, i.e. sends polling request by pre-set time interval and sets to scene
Standby to obtain creation data in real time, but the side effect of this kind of mode is communication behavior has higher periodicity.The present invention carries
Go out a kind of to use this autopolling mechanism to realize the detection to abnormal intrusion, by the hole that this reporting schemes is changed
Examine and protect those to be periodically accessed for network service.Although it should be noted that some attack the week that can destroy transmission
Phase property, but the change occurred in transmission periodically is not necessarily all malice.The present invention is to position these vandalism mesh
's.
Summary of the invention:
For problem above, the present invention proposes a kind of method of periodicity abnormality detection based on SCADA system.
For reaching above-mentioned purpose, technical scheme is as follows:
A kind of method of periodicity abnormality detection based on SCADA system, including:
The transmission acquisition stage, from the passive monitoring accepting monitoring center's end of transmission and the analysis of SCADA system.
The establishment stage of stream, foundes network flow, carrys out cohersive and integrated data bag in an efficient way, and when data stream is regarded
Between sequence store.
Periodically study stage, the normal behaviour of learning system, the frequency of extracting cycle pulse and recurrent pulses
Size the two feature.
In the comparative feature item stage, algorithm is utilized to carry out the selection of characteristic item.
The abnormality detection stage, data stream and the feature of acquisition in the comparative feature item stage that will obtain in the establishment stage of stream
Item mates, if data stream matches with characteristic item, is then identified abnormal, sends alarm and feeds back to periodically learn rank
Section.
Preferred, in the establishment stage of described stream as technique scheme:
Use server end transmission port to carry out cohersive and integrated data bag, rely on the application program used and agreement to isolate periodically
Pulse.
Preferred, in the establishment stage of described stream as technique scheme:
Sample frequency SF that storage data stream uses is:
SF=1/P,
Wherein, P is certain time interval.
Preferred as technique scheme, the periodically study stage performs analysis by the way of off-line, and passes through
Network manager verifies effectiveness.
Preferred as technique scheme, the comparative feature item stage specifically includes following steps:
Use the proper communication and exceptional communication deposited in the Zipf rule analysis periodically study stage.
Calculate the mutual information of generic.
It is ranked up according to the size of mutual information is descending, from the beginning of maximum, extracts a number of rule successively
As characteristic item.
The beneficial effects of the present invention is: the present invention is by obtaining the recurrent pulses of the transmission in SCADA system
Take, cohersive and integrated data bag, store data stream, by the periodically study stage obtain the frequency about preiodic type pulse and size this two
Individual feature, and carry out choosing of characteristic item by comparative feature item, carries out coupling to judge exception by data stream and characteristic item, and
Send alarm, improve the safety of industry control network.
Accompanying drawing illustrates:
The following drawings is only intended to, in schematically illustrating the present invention and explaining, not delimit the scope of the invention.Wherein:
Fig. 1 is the SCADA system of one embodiment of the invention schematic diagram in petrochemical industry Safety Industry;
Fig. 2 is the signal of the method implementation of the periodicity abnormality detection based on SCADA system of one embodiment of the invention
Figure.
Detailed description of the invention:
The present embodiment provides a kind of method of periodicity abnormality detection based on SCADA system,
1, the periodicity analysis of network transmission.
General SCADA system presents packet periodic pulse train, the data that interval transmission is certain the most at a fixed time
Bag.These periodically pulsing strings are responded produced by the request of data of client and the requests of server end.Periodically net
Network transmission has two key characters that may determine that its natural quality, the frequency that the most periodically pulsing string is comprised
(frequency) with size (size).Need exist for it should be noted that and can produce during monitoring cyclical transmission
Acyclic behavior (or interference), and the reason disturbed has multiple, such as network delay, packet loss, retransmits, the concrete friendship of agreement
Change (such as 3 Handshake Protocols of TCP) etc..
Not all SCADA system connection all necessarily exhibits periodic feature.Such as: PLC device generally needs
Manually to access, then can monitor aperiodicity behavior.It is periodically pulsing that the emphasis studied in the present invention is only packet
Normal behaviour in general networking is transmitted.
2, the impact analysis attacked.
Assume that some intrusion behaviors are the periodicity in order to destroy transmission, in order to realize this it is assumed that the present invention uses not
With the attack of type, and how study on transmission periodically generation impact.The present invention uses used in intruding detection system
The access list of the attack signature of SCADA system, comprises protection two kinds of SCADA communication standards of Modbus TCP and DNP3 in list
Signature.
Information to have precedence over other attack, and is a kind of challenge for assailant, because will be as far as possible
The information of many collection goal systems.One typical mode is to obtain information, as Modbus Tcp point range is swept by scans
Retouch.Scanning needs the most possible address or port to test, and therefore assailant typically can be performed quickly operation, and this
Scanning can quickly be monitored to, because produced transmission is clearly not periodic.Note, if assailant is slow with one
But speed periodically mode, also can monitor and obtain, because it can run to be different from the frequency of normal service.
Denial of Service attack is to stop validated user access service or reduce its performance.The such as active with DNP3 as target
Response storm attempts to send a number of active response bag to transship DNP3 service, and is to produce warning under normal circumstances
's.If assailant have sent substantial amounts of packet at short notice, this attack can be considered the peak of aperiodicity transmission
Value.Similar with scanning, it is very slow that this attack is likely to perform ground, but can decrease the effect of attack simultaneously.
Network attack processes the behavior of the various agreement of network.Such as with Modbus TCP as target of attack, it is intended to avoid by
The attack removing enumerator and depositor monitored, employs the single packet with special code function and goes to remove SCADA
The enumerator of server and depositor.We can not monitor most of such attack, because they are few by performing
The bag of amount, can't interfere with transmission periodically.But we can monitor this effect attacked and produce.Such as with
Modbus TCP is target, postpones to attack from device busy abnormality code, is answering each information request with " device busy "
Time stop response time-out.But in this case, it is undesirable that change in transmission periodically, typical scheme be
In attack, replace the amplitude variations caused by single bag with many bags.
Buffer overflow attack attempts, in the way of overflowing its relief area, to be controlled system.Such as, based on Modbus
The size of the illegal packet of TCP, the dos attack that may be subject to, is excavated in protocol stack to send single bag with the size of illegal packet
Mistake.Furthermore, method used in the present invention is not the attack for packet, if but success attack and make target
System crash, normal transmission mode is destroyed obviously.
In sum, the one that many attacks cause following three to change with different frequencies.
1. the periodic burst frequency being newly added or lose.
2. the change of periodic burst size
3. the increase of interference factor
It is emphasized that our abnormal monitoring that is contemplated to be, and do not exist from the deviation of normal transmission cycle behavior
Maliciously.PLC such as carrying out when being used for testing manual access and can cause acyclic transmission, the thing followed would is that triggering
Report to the police.
As in figure 2 it is shown, the method for the periodicity abnormality detection based on SCADA system of the present invention, including:
The transmission acquisition stage, from the passive monitoring accepting monitoring center's end of transmission and the analysis of SCADA system.In this stage
Being not related to the associated packet of SCADA flow process, only DNS with DHCP is filtered.
The establishment stage of stream, foundes network flow, carrys out cohersive and integrated data bag in an efficient way.In this stage, it is assumed that make
Carry out cohersive and integrated data bag with server end transmission port, the network service attempting protection can be identified.Although passing at this server
Defeated port can be effectively isolated the cyclical transmission when trace analysis, and collecting but more needs to produce in other cases
Raw.Such as, if a service is by two different client-access, one uses polling mechanism, another not, this just needs
Customer address to be added usually to isolate cyclic behaviour as collecting.Another kind of method is that the information using application-level is come
Isolating recurrent pulses, mode optimum in practice is dependent on used application program and agreement.
Being stored as time series by data stream, i.e. every certain time interval P, storage belongs to the data of specific stream
The quantity of bag.Sample frequency SF that storage data stream uses is:
SF=1/P,
Wherein, P is certain time interval.SF is a balance between degree of accuracy and performance.Frequency is the highest, about data stream
More details will be stored, data will be performed process the most more.
Periodically the study stage, before testing, needing the normal behaviour of learning system, in this stage, we are extracted
Two characteristics: the frequency of recurrent pulses and size.We assume that the recurrent pulses of service do not change over time, that
Analysis can also be performed by the way of off-line, and verify effectiveness by network manager.
In the comparative feature item stage, algorithm is utilized to carry out the selection of characteristic item.Owing to characteristic vector can not include all of
Situation, it is therefore necessary to carry out feature selection with certain algorithm.The comparative feature item stage specifically includes following steps:
Use the proper communication and exceptional communication deposited in the Zipf rule analysis periodically study stage.
Calculate the mutual information of generic.
It is ranked up according to the size of mutual information is descending, from the beginning of maximum, extracts a number of rule successively
As characteristic item (mutual information is the biggest, and the probability that Feature Words belongs to this type of is the biggest).
The abnormality detection stage, data stream and the feature of acquisition in the comparative feature item stage that will obtain in the establishment stage of stream
Item mates, if data stream matches with characteristic item, is then identified abnormal, sends alarm and feeds back to periodically learn rank
Section.Foregoing describes the different types of abnormal aggression that can be monitored to, be monitored to if abnormal, the behaviour that reports to the police occurs
Make.Ideally warning message should provide sufficient information, such that it is able to perform corresponding operation.If a new cycle
Property pulse is detected in a stream, should provide the details of this pulse source in warning information.Alarm also can feed back to week
In inquiry learning stage phase, update characteristic item storehouse such that it is able to adapt to periodically study.
The method of the periodicity abnormality detection based on SCADA system described in the present embodiment, the present invention is by SCADA system
The recurrent pulses of the transmission in system obtain, cohersive and integrated data bag, store data stream, are obtained by the periodically study stage and close
In frequency and the size the two feature of preiodic type pulse, and carry out choosing of characteristic item by comparative feature item, by data stream
Carry out coupling to judge exception with characteristic item, and send alarm, improve the safety of industry control network.
Obviously, above-described embodiment is only for clearly demonstrating example, and not restriction to embodiment.Right
For those of ordinary skill in the field, can also make on the basis of the above description other multi-form change or
Variation.Here without also cannot all of embodiment be given exhaustive.And the obvious change thus extended out or
Change among still in the protection domain of the invention.
Claims (5)
1. the method for a periodicity abnormality detection based on SCADA system, it is characterised in that including:
The transmission acquisition stage, from the passive monitoring accepting monitoring center's end of transmission and the analysis of SCADA system;
The establishment stage of stream, foundes network flow, carrys out cohersive and integrated data bag in an efficient way, and by data stream as time sequence
Row store;
Periodically study stage, the normal behaviour of learning system, the frequency of extracting cycle pulse and the size of recurrent pulses
The two feature;
In the comparative feature item stage, algorithm is utilized to carry out the selection of characteristic item;
In the abnormality detection stage, the data stream obtained in the establishment stage of stream is entered with the characteristic item of acquisition in the comparative feature item stage
Row coupling, if data stream matches with characteristic item, is then identified abnormal, sends alarm and feeds back to the periodically study stage.
The method of a kind of periodicity abnormality detection based on SCADA system the most according to claim 1, it is characterised in that:
In the establishment stage of described stream: use server end transmission port to carry out cohersive and integrated data bag, rely on the application program and association used
View isolates recurrent pulses.
The method of a kind of periodicity abnormality detection based on SCADA system the most according to claim 1, it is characterised in that:
In the establishment stage of described stream:
Sample frequency SF that storage data stream uses is:
SF=1/P,
Wherein, P is certain time interval.
The method of a kind of periodicity abnormality detection based on SCADA system the most according to claim 1, it is characterised in that:
The periodically study stage performs analysis by the way of off-line, and verifies effectiveness by network manager.
The method of a kind of periodicity abnormality detection based on SCADA system the most according to claim 1, it is characterised in that:
The comparative feature item stage specifically includes following steps:
Use the proper communication and exceptional communication deposited in the Zipf rule analysis periodically study stage;
Calculate the mutual information of generic;
It is ranked up according to the size of mutual information is descending, from the beginning of maximum, extracts the conduct of a number of rule successively
Characteristic item.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610953812.7A CN106330975A (en) | 2016-11-03 | 2016-11-03 | Method for periodic exception detection based on SCADA system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610953812.7A CN106330975A (en) | 2016-11-03 | 2016-11-03 | Method for periodic exception detection based on SCADA system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN106330975A true CN106330975A (en) | 2017-01-11 |
Family
ID=57819059
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610953812.7A Pending CN106330975A (en) | 2016-11-03 | 2016-11-03 | Method for periodic exception detection based on SCADA system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106330975A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107508831A (en) * | 2017-09-21 | 2017-12-22 | 华东师范大学 | A kind of intrusion detection method based on bus |
CN108809973A (en) * | 2018-06-05 | 2018-11-13 | 上海垣安环保科技有限公司 | A kind of active warning net for industrial network pacifies system |
CN110855711A (en) * | 2019-11-27 | 2020-02-28 | 上海三零卫士信息安全有限公司 | Industrial control network security monitoring method based on white list matrix of SCADA (supervisory control and data acquisition) system |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
CN102984170A (en) * | 2012-12-11 | 2013-03-20 | 清华大学 | System and method for safe filtering of industrial control network |
CN103676645A (en) * | 2013-12-11 | 2014-03-26 | 广东电网公司电力科学研究院 | Mining method for association rules in time series data flows |
CN103684910A (en) * | 2013-12-02 | 2014-03-26 | 北京工业大学 | Abnormality detecting method based on industrial control system network traffic |
CN103869139A (en) * | 2012-12-11 | 2014-06-18 | 兄弟工业株式会社 | Voltage anomaly detection device |
CN105187411A (en) * | 2015-08-18 | 2015-12-23 | 福建省海峡信息技术有限公司 | Distributed abnormal detection method for network data stream |
CN105429963A (en) * | 2015-11-04 | 2016-03-23 | 北京工业大学 | Invasion detection analysis method based on Modbus/Tcp |
-
2016
- 2016-11-03 CN CN201610953812.7A patent/CN106330975A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102546638A (en) * | 2012-01-12 | 2012-07-04 | 冶金自动化研究设计院 | Scene-based hybrid invasion detection method and system |
CN102984170A (en) * | 2012-12-11 | 2013-03-20 | 清华大学 | System and method for safe filtering of industrial control network |
CN103869139A (en) * | 2012-12-11 | 2014-06-18 | 兄弟工业株式会社 | Voltage anomaly detection device |
CN103684910A (en) * | 2013-12-02 | 2014-03-26 | 北京工业大学 | Abnormality detecting method based on industrial control system network traffic |
CN103676645A (en) * | 2013-12-11 | 2014-03-26 | 广东电网公司电力科学研究院 | Mining method for association rules in time series data flows |
CN105187411A (en) * | 2015-08-18 | 2015-12-23 | 福建省海峡信息技术有限公司 | Distributed abnormal detection method for network data stream |
CN105429963A (en) * | 2015-11-04 | 2016-03-23 | 北京工业大学 | Invasion detection analysis method based on Modbus/Tcp |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107508831A (en) * | 2017-09-21 | 2017-12-22 | 华东师范大学 | A kind of intrusion detection method based on bus |
CN108809973A (en) * | 2018-06-05 | 2018-11-13 | 上海垣安环保科技有限公司 | A kind of active warning net for industrial network pacifies system |
CN108809973B (en) * | 2018-06-05 | 2020-09-11 | 上海垣安环保科技有限公司 | Active alarm network security system for industrial network |
CN110855711A (en) * | 2019-11-27 | 2020-02-28 | 上海三零卫士信息安全有限公司 | Industrial control network security monitoring method based on white list matrix of SCADA (supervisory control and data acquisition) system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3528462B1 (en) | A method for sharing cybersecurity threat analysis and defensive measures amongst a community | |
CN101355463B (en) | Method, system and equipment for judging network attack | |
US7752665B1 (en) | Detecting probes and scans over high-bandwidth, long-term, incomplete network traffic information using limited memory | |
CN103179105B (en) | The intelligent trojan horse detection devices and methods therefor of behavioural characteristic in a kind of flow Network Based | |
CN104509034B (en) | Pattern merges to identify malicious act | |
Saxena et al. | General study of intrusion detection system and survey of agent based intrusion detection system | |
US20070300300A1 (en) | Statistical instrusion detection using log files | |
CN102821002A (en) | Method and system for network flow anomaly detection | |
CN109600363A (en) | A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method | |
US20030110396A1 (en) | Method and apparatus for predicting and preventing attacks in communications networks | |
CN103944915A (en) | Threat detection and defense device, system and method for industrial control system | |
WO2006071985A2 (en) | Threat scoring system and method for intrusion detection security networks | |
CN106992955A (en) | APT fire walls | |
US11258825B1 (en) | Computer network monitoring with event prediction | |
CN102447707B (en) | DDoS (Distributed Denial of Service) detection and response method based on mapping request | |
US20180332061A1 (en) | Information processing apparatus, method and medium for classifying unauthorized activity | |
US20230012220A1 (en) | Method for determining likely malicious behavior based on abnormal behavior pattern comparison | |
Saboori et al. | Automatic firewall rules generator for anomaly detection systems with Apriori algorithm | |
CN111224973A (en) | Network attack rapid detection system based on industrial cloud | |
WO2014096761A1 (en) | Network security management | |
CN106330975A (en) | Method for periodic exception detection based on SCADA system | |
Tran et al. | One-class support vector machine for anomaly network traffic detection | |
CN113329017A (en) | Network security risk detection system and method | |
Song et al. | A generalized feature extraction scheme to detect 0-day attacks via IDS alerts | |
CN107896229A (en) | A kind of method, system and the mobile terminal of computer network abnormality detection |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20170111 |
|
WD01 | Invention patent application deemed withdrawn after publication |