CN109981583B - Industrial control network situation assessment method - Google Patents
Industrial control network situation assessment method Download PDFInfo
- Publication number
- CN109981583B CN109981583B CN201910141568.8A CN201910141568A CN109981583B CN 109981583 B CN109981583 B CN 109981583B CN 201910141568 A CN201910141568 A CN 201910141568A CN 109981583 B CN109981583 B CN 109981583B
- Authority
- CN
- China
- Prior art keywords
- industrial control
- situation
- data
- data packet
- controller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention discloses an industrial control network situation assessment method, and relates to industrial control network equipment, which comprises the following steps: the system comprises a security gateway, a programmable logic controller, a field sensor device, a security management platform and an engineer station; the method comprises the following steps: s1: the engineer station configures and operates the industrial control system, the PLC of each area identifies the controlled equipment connected with the IO module, and matches the controlled equipment information list to form a periodic communication mode of the master station and the slave station; s2: the PLC feeds data information back to the security gateway in real time, a data packet deep analysis system of the security gateway extracts data features, removes redundant attribute features, and only leaves features related to a system behavior mode, wherein the features comprise data features based on a communication protocol, state information of a programmable logic controller, state information of an industrial control network system and network traffic features; s3: and the industrial control network situation evaluation model is used for carrying out situation evaluation on the system and forming an evaluation result.
Description
Technical Field
The invention relates to the technical field of industrial control systems, in particular to an industrial control network situation assessment method.
Background
Due to the widespread adoption of general software and hardware and network facilities and the integration with enterprise management information systems, industrial control systems are becoming more and more open and generate data exchange with intranet and even internet. That is to say, the relative seal of the industrial control system in the physical environment and the specialization of the software and hardware of the industrial control system will be broken before, and it is possible to obtain more detailed information of the relevant industrial control system through the internet or intranet, and the enterprise security awareness of operating the industrial control system is generally poor, so that a possible opportunity is created for hostile governments, terrorist organizations, commercial spy, illegal internal personnel, illegal external intruders, etc.
The industrial control system has the characteristics of multiple communication protocol types, missing or incomplete security verification mechanism, weak safety consciousness of employees and the like, and has more attack surfaces compared with the traditional network security, such as protocol bugs, upper computer software bugs, industrial control equipment bugs, service bugs and the like. The following disadvantages mainly exist: 1) because of numerous equipment suppliers, the ICS lacks of unified system hardware, operating software, application software and protocol specification standards, and thus has self-vulnerability in ICS configuration. 2) The Modbus TCP protocol widely applied in the system lacks an authentication and authorization mechanism, data is transmitted in a plaintext manner, and only the data collected by a field device layer can be subjected to safety protection through a safety gateway in a network, while the traditional safety protection method is mainly based on a filtering technology of data packet format matching of a communication protocol, and the rule configuration method is difficult to intercept attacks of numerous malicious attackers, such as constructing a data packet conforming to protocol specification for attack. 3) In the field device layer, the device register value is easy to be tampered by an attacker, the format of the data packet still conforms to the protocol specification, the attack is not easy to be perceived, and an enterprise manager makes an error decision.
Therefore, the attack means aiming at the industrial control system is more flexible and diversified, and even APT attack which has higher threat degree and is difficult to defend is gradually evolved. In the face of endless unknown network attack means, it is impossible to intercept all attacks outside the protection by passive security defense means such as a traditional intrusion detection system, an industrial firewall and a white list. Therefore, the research focus for industrial control security defense gradually changes from a passive defense technology to a multi-level deep defense technology based on active defense.
Disclosure of Invention
In view of this, the present invention provides an industrial control network situation assessment method, which can solve the problems of low accuracy and weak generalization capability of an industrial control network system in identifying unknown attacks and abnormal classes of devices.
The invention solves the technical problems by the following technical means:
an industrial control network situation assessment method relates to industrial control network equipment which comprises a security gateway, a Programmable Logic Controller (PLC), field sensor equipment, a safety management platform and an engineer station; the security gateway comprises a situation assessment subsystem and a data packet deep analysis system, and the industrial control network situation assessment method comprises the following steps:
the engineer station configures and operates an industrial control system, the PLC of each area identifies the controlled equipment connected with the I/O module of the PLC, and matches the controlled equipment information list to form a periodic communication mode of a master station and a slave station;
the PLC feeds data information back to a security gateway in real time, and a data packet deep analysis system of the security gateway extracts data characteristics of the data information to obtain a characteristic vector;
the situation evaluation subsystem evaluates and counts according to the characteristic vectors and the classifier, evaluates the situation and sends an alarm to the safety management platform for an abnormal result;
the PLC feeds data information back to the security gateway in real time, and a data packet deep analysis system of the security gateway extracts data characteristics of the data information to obtain a characteristic vector, wherein the step of obtaining the characteristic vector comprises the following steps:
the data packet deep analysis system specifies a characteristic field existing in a data packet and an expected value of the characteristic field according to a message format of a Modbus TCP protocol, deeply analyzes the message layer by layer, and summarizes instructions and state characteristics of the protocol;
establishing a sliding time window for communication of the master station and the slave station, performing frequency marking on important features by using a periodic time window, performing periodic acquisition and feature extraction on a data packet, and establishing a feature vector;
according to at ModbIn the industrial control system of the us TCP protocol, the communication between the master station and the slave station in the field device layer has the characteristic of periodicity, and the periodic read-write operation of the master station to the slave station device obtains a controller command interval, a controller gain, a controller period time increment, a controller gain increment, a slave station Address, a data packet cyclic check code, data length, a function code, a command or response and a transmission direction of a data packet, so that a feature vector is constructed for each type of regular feature values based on communication frequency
;
The situation evaluation subsystem evaluates and counts according to the feature vectors and the classifier, evaluates the situation, and sends an alarm to the safety management platform according to the abnormal result, and specifically comprises the following steps:
the situation assessment subsystem carries out real-time data analysis according to information from the data packet deep analysis system, and constructs a characteristic vector of a controller command interval, a controller gain, a controller cycle time increment, a controller gain increment, a slave station Address, a data packet cyclic check code, a data length, a function code, a command or response and a data packet transmission direction for a Modbus TCP protocol; performing data preprocessing and dimensionality reduction on the feature vector, performing linear dimensionality reduction on the preprocessed feature vector by using a principal component analysis method, and extracting information pivot elements reflecting data attributes from multi-dimensional features; pre-extracting and optimizing the feature vectors after the pre-processing and the dimension reduction; establishing an industrial control network situation evaluation model of a multi-class support vector machine based on a binary tree, establishing a situation value corresponding table of a normal state and various attack states for typical industrial control attack behaviors through a hierarchical network security threat situation quantitative evaluation method, setting a situation value interval and an alarm critical value of various attacks, and if the situation value evaluated in real time exceeds the alarm critical value, immediately sending an alarm message to a security management platform by a situation evaluation subsystem.
Further, the controller command interval is a time interval of the same instruction sent by the PLC to the controlled equipment, and the controller gain, the controller cycle time increment and the controller gain increment are obtained according to the feedback of the controller and represent the state information of the controller; the slave station Address, the data packet cyclic check code, the data length, the function code, the command or the response are analyzed through the Modbus TCP protocol characteristics and the periodicity rule to obtain the characteristic frequency of each field of the data packet; the direction of the data packet refers to the transmission direction of the data packet generated according to the source address and the destination address of the data packet when the PLC and the controlled equipment perform data interaction.
Further, the situation evaluation subsystem comprises a binary tree-based multi-class Support Vector Machine (SVM) model, and the binary tree-based multi-class SVM model is built by the following steps:
building an industrial control platform and building a typical industrial control attack;
constructing an initial situation value and a situation interval of typical industrial control attack, simultaneously extracting a characteristic vector, preprocessing the characteristic vector data, and pre-extracting and optimizing the characteristic vector;
constructing a multi-class SVM model based on a binary tree; optimizing the parameters of the multi-class SVM; and completing the construction of the multi-class SVM model.
Further, the typical industrial control attack includes: command Injection attack (Command Injection), Response Injection attack (Response Injection), and Denial of Service attack (DoS).
The invention has the beneficial effects that:
1. by adopting the idea of periodically correcting the situation assessment model, the abnormal samples are continuously added and learned, and the situation assessment model is retrained, so that the accuracy rate and generalization capability of the situation assessment are improved.
2. The thought of the situation evaluation model not only provides a detection algorithm of protocol characteristics for the data transmission process of the control layer network, but also comprehensively considers the state of the controller and the network flow condition, so that the obtained result can more accurately reflect the overall state of the system.
3. By adopting a training method of pre-extracting support vectors and loop iteration, the situation value of the system can be obtained more quickly and accurately, and the situation state of the system can be judged.
4. And drawing a mapping table about typical attacks and situation values by three types of typical system attacks, and setting intervals of various types of typical situations according to rules of the mapping table. A binary tree-based multi-class support vector machine model is established, the attack type suffered by the system can be directly judged, and the system safety condition can be reflected more accurately.
Drawings
FIG. 1 is a schematic diagram of a system architecture of an industrial control network situation assessment method according to the present invention;
FIG. 2 is a diagram of a Modbus TCP message structure;
FIG. 3 is an example of a PLC control system;
FIG. 4 is a binary tree based multi-class SVM classification;
FIG. 5 is a situation awareness interval mapping table;
FIG. 6 is a flow chart of multi-class SVM construction;
Detailed Description
The invention will be described in detail below with reference to the following figures and specific examples:
aiming at Modbus TCP protocol characteristics in an industrial control system, the invention constructs characteristic vectors based on system state characteristics such as communication behavior frequency and the like according to a controller command interval, a controller gain, a controller period time increment, a controller gain increment, a slave station Address, a data packet cyclic check code, data length, a function code, a command or response and a data packet transmission direction, and establishes an industrial control network situation evaluation model based on an improved multi-class support vector machine. Establishing a situation value corresponding table by utilizing a normal state and various typical attack states, substituting situation values in the situation table into a support vector machine for training, then delimiting normal states of an industrial control system and situation intervals subjected to various typical industrial control attacks, and taking the junction of each interval as a root node of a binary tree, thereby establishing a multi-class support vector machine model based on the binary tree.
As shown in fig. 1, the main industrial control network devices involved in the situation assessment method are: the security gateway, master control PLC, controlled equipment, safety management platform, engineer station, the role that each plays is:
1. the security gateway: the system comprises a data packet deep analysis system and a situation assessment subsystem, wherein the data packet deep analysis system is used for deep analysis and feature extraction of Modbus TCP data packets, and the situation assessment subsystem is used for detecting and alarming interaction data of a bottom layer network and a safety management platform. The characteristics of the Modbus TCP protocol are shown in figure 2.
2. Master control PLC: in the ICS, PLCs are used as local controllers according to a monitoring plan. The PLC has a user programmable memory for storing instructions to perform specific functions such as I/O control, logic, timing, counting, three modes of proportional-integral-derivative (PID) control, communications, arithmetic, and data and file processing. The PLC may be accessed through a programming interface located at an engineer workstation. As shown in fig. 3.
3. The controlled device: the device comprises a liquid level meter, a pressure gauge, a temperature and humidity sensor, an actuator and the like, is responsible for collecting physical quantities in the industrial production process, uploads collected information to a safety gateway through a PLC for situation assessment, and meanwhile, controlled equipment receives a control instruction of the PLC to complete instruction action, so that the industrial production process is orderly carried out.
4. A safety management platform: and the security gateway is responsible for configuring security mechanisms of the security gateway and processing abnormal alarms.
5. Engineer station: a workstation for use by an engineer providing industrial process control to configure, program, modify, etc. a computer system.
According to the scheme, an engineer station is used for carrying out configuration and operation on a system, a PLC (programmable logic controller) in each area is used for identifying controlled equipment connected with an I/O (input/output) module of the PLC, and an information list of the controlled equipment is matched to form a periodic communication mode of a master station and a slave station.
The PLC feeds data information back to the security gateway in real time, a data packet deep analysis system of the gateway extracts data characteristics, removes redundant attribute characteristics and only leaves characteristics related to a system behavior mode, wherein the characteristics comprise data characteristics based on a communication protocol, state information of a programmable logic controller, state information of an industrial control network system and network traffic characteristics.
And then, a data analysis module of the situation evaluation subsystem carries out system situation evaluation and sends an alarm to the safety management platform for the abnormal result.
And the situation evaluation subsystem carries out measurement and statistics according to the classifier according to the feature vectors extracted by the data packet deep analysis system.
The invention mainly relates to the following 3 modules: the system comprises a data packet deep analysis system, a situation evaluation subsystem and a safety management platform.
The deep analysis system of the data packet is used for deeply analyzing the message layer by layer, and relates to a message header of an application protocol of the Modbus, wherein the message header comprises a transmission identifier, a protocol identifier, a length identifier, a unit identifier and the like, and the periodic characteristics of a marking function code, the command and the state characteristics of the protocol are summarized, and the communication behavior frequency is recorded according to the communication period of the master station and the slave station.
The situation evaluation subsystem carries out real-time data analysis according to information from the data packet deep analysis system, for a Modbus TCP protocol, a characteristic vector of a controller command interval, a controller gain, a controller period time increment, a controller gain increment, a slave station Address, a data packet cyclic check code, a data length, a function code, a command or response and a data packet transmission direction is constructed, an industrial control network situation evaluation model of a multi-class support vector machine is established, for typical industrial control attack behaviors, a situation value corresponding table of a normal state and various attack states is established through a hierarchical network security threat situation quantitative evaluation method, situation value intervals and alarm critical values of various attacks are set, and if the situation value evaluated in real time exceeds the alarm critical value, the situation evaluation subsystem immediately sends alarm information to a security management platform.
The safety management platform is mainly responsible for managing and monitoring the operation of the whole network from the field device layer to the process monitoring layer.
The main method for assessing the situation based on the characteristics of the Modbus TCP Protocol in the ICS is to analyze from the layer of the message structure, wherein a Modbus TCP message comprises two parts, namely a Modbus Application Protocol message header (MBAP) and a Protocol Data Unit (PDU), and the Modbus Application Protocol message header comprises a transmission identifier (Transaction ID), a Protocol identifier (Protocol ID), a Length (Length) and a Unit identifier (Unit ID). For the function codes commonly used for Modbus TCP communication, for example, a coil reading function code 01, a read input discrete quantity 02, a single coil writing 05, a plurality of coils writing 15, a read input register 04, a single register writing 06, etc., in the protocol, high periodicity exists for communication between a master station and a slave station, and then a characteristic vector of a controller command interval, a controller gain, a controller cycle time increment, a controller gain increment, a slave station Address, a packet cycle check code, a data length, a function code, a command or response, and a packet transfer direction is constructed by combining controller state information and network traffic information.
Under the condition that ICS normally operates, training samples are obtained by a security gateway, and firstly, data preprocessing comprises data normalization and data dimension reduction.
In the scheme, vector characteristics of a Modbus TCP protocol are preprocessed by using a mapminmax normalization algorithm to normalize a characteristic value range to [0,1], and a normalization formula is used as follows:
Value=(fmax-fmin)* (x-xmin)/(xmax-xmin)+fmin
wherein, x and Value correspond to the data before and after normalization respectively. xmax, xmin correspond to the maximum and minimum values of the pre-processed data, respectively, and fmax, fmin are the maximum and minimum values of the post-processed data. Original data are mapped into a standard attribute range through a mapping, so that the phenomenon that characteristics with larger values account for too large proportion in the training process is avoided, and the numerical calculation is facilitated.
In the scheme, a principal component analysis method is used for linear dimensionality reduction, information pivot elements reflecting data attributes are extracted from multi-dimensional features, the pivot elements can reflect almost all high-dimensional information, and the dimensionality reduction process is as follows:
step1, setting the number of samples of the original input data as m, wherein each sample has p characteristic attributes, and calculating a covariance matrix S of a sample X and a mean vector of the sample X;
step2, decomposing and solving P characteristic values of S by using the characteristic values
Corresponding feature vector
. Sorting the eigenvalues by size;
step3, calculating the contribution rate of the ith principal component sample;
step4 the number of principal component samples is determined by the cumulative contribution rate. The cumulative contribution rate is usually more than 90%. Therefore, the first n principal components are selected to replace the original input variables, and the purpose of data dimension reduction can be achieved.
Then, the support vector is pre-extracted and optimized, and the pre-extraction process is as follows:
given two elements x1, x2 (belonging to two samples, respectively), the distance between two samples can be tabulated
Shown as d (x 1, x 2) (x 1 belongs to the element of sample 1 and x2 to the element of sample 2), the distance between the two samples x1, x2, in the case of linearity, is defined as follows:
in the case of non-linearity, the distance between the two samples x1, x2 is defined as follows:
wherein
In order to map the vector two in the original space to the corresponding vector after the vector two in the high-dimensional vector space,
is a kernel function. First, the first element in x1 is chosen, sample x2 is traversed, and existence is inevitableAnd a minimum value min d (x 1, x 2), wherein a vector corresponding to the minimum value is a boundary value in the sample x2, elements in the x1 are sequentially taken, then the elements in the x2 are traversed, and the minimum value min d (x 1, x 2) is obtained, so that a boundary vector set of all the relative boundaries of the second type sample and the first type sample can be obtained, and the relative boundary vector of the first type sample can be obtained in the same way. In this way we have relative boundary vectors that include the support vector with a considerable probability, the number of relative boundary vectors being much smaller than the number of samples. This set is taken as the initial working set B.
The loop iteration algorithm comprises the following processes:
a) taking the working set B as a training sample to obtain a classification hyperplane;
b) and testing the training sample set A by using the obtained classification hyperplane, and then calculating the distance d between the sample in the A and the classification hyperplane and the classification accuracy P. Samples with the distance d between the samples in the test set and the optimal hyperplane smaller than Q (a threshold value between 1.05 and 2.0) can be put into the working set B to replace the original working set B as training samples for the next cycle iteration;
c) and when the classification accuracy P is less than 1, repeating the step1, when the classification accuracy P is equal to 1, jumping out of the loop, and ending the loop iteration.
Thirdly, constructing a situation interval between the initial situation value and each type of typical attack, and analyzing three types of typical attack data of the industrial control system: the Command Injection attack (Command Injection), the Response Injection attack (Response Injection) and the Denial of Service attack (Denial of Service, DoS) are quantitatively evaluated by the potential harmfulness to different attacks, the actual damage degree of the system and the influence on the whole network through a hierarchical network security threat situation, the method is mainly divided into three layers of a Service level, a host level and a network level, according to the principle of first lower part, first part and then whole, according to the security threat of the attack to the Service, the normal access quantity of the Service, the importance of the Service, the severity of the damage to the host, the importance degree of the host, the occupancy rate of a network broadband, system vulnerability information and other characteristics, the characteristics are endowed with corresponding authorities, the security threat indexes of each layer are quantitatively calculated, then the layers are quantitatively superposed by endowing corresponding authorities, finally, the situation values of the network state in the normal state and the network state in various attacks are determined, and a situation value interval table of the normal state and the various attack states is established, as shown in fig. 5.
And finally, constructing a multi-class support vector machine model based on the binary tree, and optimizing parameters of the support vector machine. And constructing a multi-class support vector machine model based on the binary tree according to the support vector obtained in the step, the situation value corresponding to the support vector and the situation interval corresponding to each type of state of the system. First, training SVM1 with the first class of data as one class and all the other remaining data as another class (assuming K classes of data are shared), then training SVM2 with the second class of data in the remaining data in the first classification as one class and the remaining other data as another class, and so on until only two classes of data remain finally, training SVM (K-1). In this way, a binary tree model with the support vector machine as a root node can be obtained. Under the model, firstly, an SVM1 is used for judging the feature vector, if the feature vector is judged to belong to the first class, the judgment is finished, if the feature vector does not belong to the first class, an SVM2 is continuously used for judging, and the like is repeated until the class to which the feature vector belongs is judged. In the scheme, the class to which the sample of the 1 st class belongs can be obtained by only one classification, the class to which the sample of the 2 nd class belongs can be obtained by only two classifications, and all classifications are obtained by K-1 classification. In order to meet the real-time requirement of an industrial control system, a step-by-step grid search algorithm is adopted to optimize the parameters of the support vector machine. Firstly, the optimal value search range setting is carried out on the parameter (penalty factor parameter), the search range setting is carried out on the parameter g (radial basis kernel function parameter), and the step pitch is set to be 5, so that the local optimization is obtained. On the basis of the local optimum parameters, the step pitch is set to 0.1 of the fine search, so that the final optimum parameters are obtained. The parameter optimization is carried out in a large range, and then the parameter optimization is carried out in a small range, so that the parameter optimization time is reduced, and the method is more suitable for the requirement of high real-time performance of an industrial control system.
Although the present invention has been described in detail with reference to the preferred embodiments, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the spirit and scope of the invention as defined in the appended claims. The techniques, shapes, and configurations not described in detail in the present invention are all known techniques.
Claims (4)
1. A situation assessment method for an industrial control network is characterized by comprising the following steps: the industrial control network equipment related to the industrial control network situation assessment method comprises a security gateway, a Programmable Logic Controller (PLC), field sensor equipment, a safety management platform and an engineer station; the security gateway comprises a situation assessment subsystem and a data packet deep analysis system, and the industrial control network situation assessment method comprises the following steps:
the engineer station configures and operates an industrial control system, the PLC of each area identifies the controlled equipment connected with the I/O module of the PLC, and matches the controlled equipment information list to form a periodic communication mode of a master station and a slave station;
the PLC feeds data information back to a security gateway in real time, and a data packet deep analysis system of the security gateway extracts data characteristics of the data information to obtain a characteristic vector;
the situation evaluation subsystem evaluates and counts according to the characteristic vectors and the classifier, evaluates the situation and sends an alarm to the safety management platform for an abnormal result;
the PLC feeds data information back to the security gateway in real time, and a data packet deep analysis system of the security gateway extracts data characteristics of the data information to obtain a characteristic vector, wherein the step of obtaining the characteristic vector comprises the following steps:
the data packet deep analysis system specifies a characteristic field existing in a data packet and an expected value of the characteristic field according to a message format of a Modbus TCP protocol, deeply analyzes the message layer by layer, and summarizes instructions and state characteristics of the protocol;
establishing a sliding time window for communication of the master station and the slave station, performing frequency marking on important features by using a periodic time window, performing periodic acquisition and feature extraction on a data packet, and establishing a feature vector;
according to the characteristics that communication between a master station and a slave station in a field device layer is periodic and the periodic read-write operation of the master station to the slave station device in an industrial control system of a Modbus TCP protocol, a controller command interval, a controller gain, a controller period time increment, a controller gain increment, a slave station Address, a data packet cyclic check code, data length, a function code, a command or response and a data packet transmission direction are obtained, so that a characteristic vector is constructed for each type of regular characteristic values based on communication frequency
;
The situation evaluation subsystem evaluates and counts according to the feature vectors and the classifier, evaluates the situation, and sends an alarm to the safety management platform according to the abnormal result, and specifically comprises the following steps:
the situation assessment subsystem carries out real-time data analysis according to information from the data packet deep analysis system, and constructs a characteristic vector of a controller command interval, a controller gain, a controller cycle time increment, a controller gain increment, a slave station Address, a data packet cyclic check code, a data length, a function code, a command or response and a data packet transmission direction for a Modbus TCP protocol; performing data preprocessing and dimensionality reduction on the feature vector, performing linear dimensionality reduction on the preprocessed feature vector by using a principal component analysis method, and extracting information pivot elements reflecting data attributes from multi-dimensional features; pre-extracting and optimizing the feature vectors after the pre-processing and the dimension reduction; establishing an industrial control network situation evaluation model of a multi-class support vector machine based on a binary tree, establishing a situation value corresponding table of a normal state and various attack states for typical industrial control attack behaviors through a hierarchical network security threat situation quantitative evaluation method, setting a situation value interval and an alarm critical value of various attacks, and if the situation value evaluated in real time exceeds the alarm critical value, immediately sending an alarm message to a security management platform by a situation evaluation subsystem.
2. The industrial control network situation assessment method according to claim 1, characterized in that: the controller command interval is a time interval of the same instruction sent by the PLC to the controlled equipment, and the controller gain, the controller cycle time increment and the controller gain increment are obtained according to the feedback of the controller and represent the state information of the controller; the slave station Address, the data packet cyclic check code, the data length, the function code, the command or the response are analyzed through the Modbus TCP protocol characteristics and the periodicity rule to obtain the characteristic frequency of each field of the data packet; the direction of the data packet refers to the transmission direction of the data packet generated according to the source address and the destination address of the data packet when the PLC and the controlled equipment perform data interaction.
3. The method for evaluating the situation of the industrial control network according to claim 1, wherein the situation evaluation subsystem comprises a binary tree-based multi-class Support Vector Machine (SVM) model, and the binary tree-based multi-class SVM model building step comprises:
building an industrial control platform and building a typical industrial control attack;
constructing an initial situation value and a situation interval of typical industrial control attack, simultaneously extracting a characteristic vector, preprocessing the characteristic vector data, and pre-extracting and optimizing the characteristic vector;
constructing a multi-class SVM model based on a binary tree; optimizing the parameters of the multi-class SVM; and completing the construction of the multi-class SVM model.
4. The industrial control network situation assessment method according to claim 3, wherein said typical industrial control attack comprises: command Injection attack (Command Injection), Response Injection attack (Response Injection), and Denial of Service attack (DoS).
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910141568.8A CN109981583B (en) | 2019-02-26 | 2019-02-26 | Industrial control network situation assessment method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910141568.8A CN109981583B (en) | 2019-02-26 | 2019-02-26 | Industrial control network situation assessment method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109981583A CN109981583A (en) | 2019-07-05 |
| CN109981583B true CN109981583B (en) | 2021-09-24 |
Family
ID=67077358
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910141568.8A Active CN109981583B (en) | 2019-02-26 | 2019-02-26 | Industrial control network situation assessment method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109981583B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111669375B (en) * | 2020-05-26 | 2021-03-16 | 武汉大学 | Online safety situation assessment method and system for power industrial control terminal |
| CN111723377B (en) * | 2020-06-17 | 2023-02-07 | 中国电子信息产业集团有限公司第六研究所 | Platform vulnerability assessment method and device, electronic equipment and storage medium |
| CN112230584A (en) * | 2020-10-28 | 2021-01-15 | 浙江中烟工业有限责任公司 | Safety monitoring visualization system and safety monitoring method applied to industrial control field |
| CN112637143B (en) * | 2020-12-08 | 2023-03-24 | 浙江国利网安科技有限公司 | Safety control method and device and industrial control data acquisition gateway |
| CN113114489B (en) * | 2021-03-29 | 2022-06-17 | 广州杰赛科技股份有限公司 | Network security situation assessment method, device, equipment and storage medium |
| CN114741575B (en) * | 2022-02-25 | 2022-11-08 | 中国人民解放军63921部队 | Network power target behavior analysis method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420723A (en) * | 2011-12-14 | 2012-04-18 | 南京邮电大学 | Anomaly detection method for various kinds of intrusion |
| CN102722726A (en) * | 2012-06-05 | 2012-10-10 | 江苏省电力公司南京供电公司 | Multi-class support vector machine classification method based on dynamic binary tree |
| CN102915447A (en) * | 2012-09-20 | 2013-02-06 | 西安科技大学 | Binary tree-based SVM (support vector machine) classification method |
| CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150248556A1 (en) * | 2014-02-28 | 2015-09-03 | Government Of The United States, As Represented By The Secretary Of The Air Force | Firmware Disassembly System |
-
2019
- 2019-02-26 CN CN201910141568.8A patent/CN109981583B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420723A (en) * | 2011-12-14 | 2012-04-18 | 南京邮电大学 | Anomaly detection method for various kinds of intrusion |
| CN102722726A (en) * | 2012-06-05 | 2012-10-10 | 江苏省电力公司南京供电公司 | Multi-class support vector machine classification method based on dynamic binary tree |
| CN102915447A (en) * | 2012-09-20 | 2013-02-06 | 西安科技大学 | Binary tree-based SVM (support vector machine) classification method |
| CN106502234A (en) * | 2016-10-17 | 2017-03-15 | 重庆邮电大学 | Industrial control system method for detecting abnormality based on double skeleton patterns |
Non-Patent Citations (5)
| Title |
|---|
| "一种新的支持向量机多类分类方法";安金龙等;《信息与控制》;20040620;第33卷(第3期);第262-267页 * |
| "二叉树多类SVM在网络入侵检测中的应用 ";陈美霞等;《微计算机信息》;20100325;第26卷(第9期);第75-77页 * |
| "层次化网络安全威胁态势量化评估方法";陈秀真等;《软件学报》;20060430;第17卷(第4期);第885-897页 * |
| "无线传感器网络中基于SVM的合作型入侵检测系统";祝琦等;《计算机应用研究 》;20100415;第27卷(第4期);第1489-1492页 * |
| "融合PCA和PSO-SVM方法在工控入侵检测中的应用 ";王华忠等;《科技通报》;20170131;第33卷(第1期);第80-85页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109981583A (en) | 2019-07-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981583B (en) | Industrial control network situation assessment method | |
| Anton et al. | Anomaly-based intrusion detection in industrial data with SVM and random forests | |
| Anton et al. | Evaluation of machine learning-based anomaly detection algorithms on an industrial modbus/tcp data set | |
| Perez et al. | Machine learning for reliable network attack detection in SCADA systems | |
| CN106502234B (en) | Industrial control system method for detecting abnormality based on double skeleton patterns | |
| Zolanvari et al. | Effect of imbalanced datasets on security of industrial IoT using machine learning | |
| CN111262722B (en) | Safety monitoring method for industrial control system network | |
| Shang et al. | Intrusion detection algorithm based on OCSVM in industrial control system | |
| Tomlinson et al. | Towards viable intrusion detection methods for the automotive controller area network | |
| Lee et al. | ProFiOt: Abnormal Behavior Profiling (ABP) of IoT devices based on a machine learning approach | |
| Yang et al. | iFinger: Intrusion detection in industrial control systems via register-based fingerprinting | |
| CN112688946B (en) | Method, module, storage medium, device and system for constructing abnormality detection features | |
| Perez et al. | Forget the myth of the air gap: Machine learning for reliable intrusion detection in SCADA systems | |
| Wu et al. | Factor-analysis based anomaly detection and clustering | |
| Madhawa et al. | Roll forward validation based decision tree classification for detecting data integrity attacks in industrial internet of things | |
| Maglaras et al. | A novel intrusion detection method based on OCSVM and K-means recursive clustering | |
| Teixeira et al. | Flow‐based intrusion detection algorithm for supervisory control and data acquisition systems: A real‐time approach | |
| Maglaras et al. | Novel intrusion detection mechanism with low overhead for SCADA systems | |
| Goyal et al. | A semantic machine learning approach for cyber security monitoring | |
| Al-Madani et al. | Anomaly detection for industrial control networks using machine learning with the help from the inter-arrival curves | |
| CN116366319A (en) | Method and system for detecting network security | |
| Kholidy | State compression and quantitative assessment model for assessing security risks in the oil and gas transmission systems | |
| Mubarak et al. | Ics cyber attack detection with ensemble machine learning and dpi using cyber-kit datasets | |
| Zhu | Anomaly detection through statistics-based machine learning for computer networks | |
| Wan et al. | State-based control feature extraction for effective anomaly detection in process industries |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |