CN111338297A - Industrial control safety framework system based on industrial cloud - Google Patents

Industrial control safety framework system based on industrial cloud Download PDF

Info

Publication number
CN111338297A
CN111338297A CN201911421230.4A CN201911421230A CN111338297A CN 111338297 A CN111338297 A CN 111338297A CN 201911421230 A CN201911421230 A CN 201911421230A CN 111338297 A CN111338297 A CN 111338297A
Authority
CN
China
Prior art keywords
ics
module
devices
industrial
intrusion detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911421230.4A
Other languages
Chinese (zh)
Inventor
凌飞
李木金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Liancheng Technology Development Co ltd
Original Assignee
Nanjing Liancheng Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Liancheng Technology Development Co ltd filed Critical Nanjing Liancheng Technology Development Co ltd
Priority to CN201911421230.4A priority Critical patent/CN111338297A/en
Publication of CN111338297A publication Critical patent/CN111338297A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B19/00Programme-control systems
    • G05B19/02Programme-control systems electric
    • G05B19/418Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM]
    • G05B19/4185Total factory control, i.e. centrally controlling a plurality of machines, e.g. direct or distributed numerical control [DNC], flexible manufacturing systems [FMS], integrated manufacturing systems [IMS], computer integrated manufacturing [CIM] characterised by the network communication
    • GPHYSICS
    • G05CONTROLLING; REGULATING
    • G05BCONTROL OR REGULATING SYSTEMS IN GENERAL; FUNCTIONAL ELEMENTS OF SUCH SYSTEMS; MONITORING OR TESTING ARRANGEMENTS FOR SUCH SYSTEMS OR ELEMENTS
    • G05B2219/00Program-control systems
    • G05B2219/30Nc systems
    • G05B2219/31From computer integrated manufacturing till monitoring
    • G05B2219/31088Network communication between supervisor and cell, machine group
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/02Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]

Abstract

The invention discloses an industrial control safety framework system based on an industrial cloud, which is responsible for the safety of industrial control network data communication and comprises a content delivery network, wherein the content delivery network comprises an intrusion detection and defense system module, a hidden Markov model module and a delivery strategy module, and is responsible for the real-time intrusion detection of each ICS device, the probability of moving in or out of a virtual honeypot device based on the prediction of the hidden Markov model module and the data delivery between the devices based on the delivery strategy module. The invention can realize the safety and the controllability of the ICS system.

Description

Industrial control safety framework system based on industrial cloud
Technical Field
The invention relates to the technical field of computers, network security, network management and automatic control, in particular to an industrial control security framework system based on an industrial cloud.
Background
Industrial control systems ics (industrial control systems) are used for the management and maintenance of national critical infrastructure, which is usually distributed in different geographical locations, such as metallurgy, natural gas pipelines, water resources, electricity. Enterprises operating these facilities have introduced an industrial cloud in order to realize centralized management and control of infrastructure distributed in different geographical locations. Due to the commercial use of the 5G (Fifth Generation Mobile Communications System) technology and the excellent performance of the technology in recent years, the real-time performance of the industrial cloud is improved, and the interconnection of everything is realized, so that the requirement of ICS real-time control is met. An industrial control network based on an industrial cloud generally comprises a programmable logic controller (plcprogramble logic Controllers), a Human-Machine Interface (HMI Human Machine Interface), a main Terminal Unit (MTU Master Terminal Unit), a Remote Terminal Unit (RTU Remote Terminal Unit) and other sub-components. The subcomponents are deployed on a virtual machine VM (virtual machine) of the industrial cloud, receive data acquired by an ICS field device, perform operation and output operation results to the ICS field control device, and automation of a production process is realized. These constitute the ICS system. However, the ICS field device collects data and performs operations and outputs the operation result to the data of the ICS field control device, and once the data is tampered, the result is unreasonable. Therefore, an industrial cloud-based industrial control security framework system is urgently needed to realize security prevention measures for the industrial equipment covered by the ICS system.
Disclosure of Invention
In order to solve the technical problem, the invention provides an industrial cloud-based industrial control security framework system to deal with the problem that the traditional security solution is no longer suitable for the network security of an industrial cloud-based ICS system.
The industrial control safety framework system based on the industrial cloud is characterized in that the safety of industrial control network data communication is protected, and the system further comprises a content delivery network;
the content delivery network comprises an intrusion detection and defense system module, a hidden Markov model module and a delivery strategy module, and is responsible for real-time intrusion detection of each ICS device, prediction of probability of moving in or out of a virtual honeypot device based on the hidden Markov model module and data delivery between the devices based on the delivery strategy module;
the intrusion detection and defense system module is responsible for monitoring all devices of an ICS system, including an intrusion detection system MIDS based on misuse, an intrusion detection system AIDS based on abnormity and an intrusion detection system NIDS based on a network;
the hidden Markov model module classifies all the devices of the ICS system and provides the probability of transferring the attacked device into the virtual honeypot device and the probability of transferring the attacked device out of the virtual honeypot device;
the delivery strategy module comprises a safe credible strategy, a load balancing strategy and a near delivery strategy;
the safe and credible strategy delivers the data collected by the ICS equipment to the safe and credible LD equipment so as to ensure the safety and reliability of the data and prevent the content of the data from being tampered;
the load balancing strategy is used for balancing the load of all the devices of the available ICS system and delivering the computing task to the LD device with light load;
and the nearby delivery strategy delivers the data to the latest or next-latest LD equipment, so that the real-time requirement of the ICS system is met.
Furthermore, the virtual honeypot device is responsible for monitoring devices in the virtual honeypot device, generating log files of malicious ICS devices, updating an attack database, generating intrusion detection rules, and synchronizing the intrusion detection rules to an intrusion detection and defense system module of a content delivery network.
The invention has the technical effects that:
the industrial control safety framework system based on the industrial cloud is responsible for safety of industrial control network data communication and comprises a content delivery network, wherein the content delivery network comprises an intrusion detection and defense system module, a hidden Markov model module and a delivery strategy module and is responsible for real-time intrusion detection of each ICS device, probability of moving in or out of a virtual honeypot device based on prediction of the hidden Markov model module and data delivery between the devices based on the delivery strategy module. The invention can realize the safety and the controllability of the ICS system.
Drawings
FIG. 1 is a schematic diagram of an ICS hierarchy of an industrial cloud-based industrial control security framework system;
FIG. 2 is a schematic diagram of a deployment of an industrial cloud-based industrial control security framework system;
FIG. 3 is a schematic diagram of an industrial cloud-based industrial safety framework system;
FIG. 4 is a schematic diagram of a content delivery network workflow of an industrial cloud-based industrial safety framework system;
FIG. 5(1) is a schematic diagram of a first-order Markov general transition diagram for an industrial cloud-based industrial safety framework system;
FIG. 5(2) is a schematic diagram of a second-order Markov general transition diagram of an industrial cloud-based industrial safety framework system.
Detailed Description
The invention is described in further detail below with reference to the figures and examples:
with the increasing use of industrial control field intelligence and the requirement to reduce the delay between data acquisition and data processing stages, the prior art offers a number of solutions. For example, there are network devices that have data processing performed on them, which may be routers, gateways, or switches, rather than sending data to a server that is located remotely. It is undesirable to run real-time industrial ICS field intelligence applications (i.e., whose performance is affected by network delays) on such servers in order to be able to obtain real-time and fast computational results. Another option for running a highly real-time industrial ICS field intelligent application is to perform its data processing (near-processing strategy) on a device close to the data acquisition node. Devices with computing capabilities and close to the data collection node are typically network devices such as routers, gateways, and switches. That is, the prior art contemplates using these network devices and creating an edge computation to handle real-time industrial intelligence applications. Such edge computing devices will provide less delay for smart applications than general cloud computing, but do not achieve better computing power than cloud computing. Therefore, the construction of a safe and credible industrial control network is imperative.
Fig. 1 is a schematic diagram of an ICS layered structure of an industrial control safety framework system based on an industrial cloud, and a bottommost layer of the system includes a data acquisition device, a video camera device, and an actuator, where the devices may be a sensor, an RFID tag, a camera, an internet of things (IOT) device, and a variable frequency motor device. They will be responsible for collecting real-time data and processing the data through an intelligent application (e.g., a controller) to make real-time decisions (e.g., adjusting the opening of a gas valve to an actuator output). The middle layer of the system consists of field network equipment for communicating data between the lowest layer equipment and the industrial cloud computing infrastructure, and the layer can serve as a field network equipment layer and can process part or all of computation, so that the industrial application performance is not influenced by network delay. The uppermost layer is an industrial cloud layer which mainly comprises virtual machines. If the field network device layer does not have free computing resources, it can send the request directly into the industrial cloud infrastructure for computing. Even if data processing is completed in the field network device layer, the raw data, the intermediate data and the calculation result finally need to be stored on the industrial cloud computing infrastructure, and for convenience, the ICS devices of each layer are simply referred to as devices below.
In an industrial ICS environment, a device can be used by multiple intelligent applications in any case, and different users can cause network security problems. If a hacker attacks the equipment, the sensors of the ICS system may get wrong collected data and provide wrong output data, which is a very dangerous event, for example, a gas valve is opened by mistake, which may cause a large explosion of the factory and a mischief of casualties; moreover, network attacks can also affect the performance of ICS systems, and hacked devices may also share data with competitors, something they are not willing to see. Currently, existing security protocols authenticate each device before providing data processing or computation. However, if an authenticated device is hacked, the situation becomes worse because the devices in the ICS system have certain rights in the industrial control network to access. Thus, network attacks on an ICS environment can be broadly divided into two broad categories: (1) an unauthenticated network attack; (2) unauthorized network attacks. This cyber attack is referred to as an unauthenticated cyber attack or an external cyber attack if the device is unauthenticated and attempts to attack the device in the ICS system. However, if the network-attacked device is authenticated and in a secure and trusted network of applications, it is referred to as an unauthorized or internal network attack. The devices passing the identity authentication are tracked because the devices have certain use authority in the industrial control network. According to a survey of 2013 U.S. cyber crimes, 34% of all cyber attacks are internal cyber attacks, 31% are external cyber attacks, and the remaining 35% of cyber attacks cannot be classified as internal or external cyber attacks. Another investigation conducted by Furnell (2004) showed that system security administrators were more aware and concerned with external network attacks, regardless of most internal network attacks. Because the ICS system is a multi-user architecture, different applications can share resources, and it is difficult to identify an internal network attacker. In ICS systems, the corruption caused by internal network attacks is also high, since applications that use real-time data are critical applications. For example, if an application processes real-time weather data and predicts flooding or other natural disasters, the consequences of the attacked device providing spurious data can be catastrophic. Therefore, there is a strong need for an industrial control network security framework to protect ICS services from malicious devices. The attack of the malicious equipment of the ICS system is actively predicted, so that the equipment is better and safely deployed in the ICS.
Probability theory and statistical kalman filtering, linear filtering and nonlinear filtering techniques can be applied to the present application, wherein the markov model is a typical example (see fig. 5(1), fig. 5(2) and table 1 below). A markov model is a stochastic model that satisfies the markov property, indicating that the probability of a future event occurring depends on the current state rather than the past state. Whereas a hidden markov model is a markov model in which the intermediate states are not observed or hidden. Markov models are used for network security and evaluation based on current user activity. The probability of occurrence of malicious devices can be predicted from the activity of the ICS device using a hidden markov model. In the present application, malicious devices are searched using a two-stage hidden markov model and transferred to virtual honeypot devices based on their recent activity. The honeypot is a trap set by a system administrator, is a real bait of the ICS system and is used for luring a network attacker on the ICS system. Honeypots can be computers, applications, or data that can simulate the true behavior of ICS systems and record the attack path of an attacker. Unlike Intrusion Detection Systems (IDS), Intrusion Detection and Prevention Systems (IDPS) and firewalls, honeypots allow users to attack them. Correctly installing honeypots can improve the efficiency and safety of the ICS system; however, if the honeypot is static, and the attacker knows its location, its value of presence may diminish to some extent. In order to make the industrial control network security framework provided by the application more adaptive, virtual honeypot equipment is proposed, and the position of the honeypot is dynamically changed, so that the malicious equipment never knows the exact position of the honeypot. Compared with the traditional honeypots, the virtual honeypot technology can not only prevent the identity exposure of honeypots, but also is easy to deploy. Virtual honeypot devices can be easily deployed on any available hypervisor VM (Virtual Machines) like a Virtual machine image. According to the level and the severity of the network attack, the virtual honeypot device can automatically expand the resource capacity of the virtual honeypot device, so that the virtual honeypot device is more suitable for the network attack of any level and quantity of malicious devices.
Malicious device cyber attacks may be a major bottleneck in any ICS system, and the consequences may be more serious later, depending on the importance of the industrial field intelligence application. The method mainly aims to design an effective industrial control network security framework, identify malicious equipment in an ICS, and transfer the work of the malicious equipment to virtual honeypot equipment, so that the ICS system is safer and adaptive in nature.
In order to achieve the above objective, the present application provides an industrial cloud-based industrial control network security framework, which is composed of three parts and is used for mitigating malicious devices. In the first part, all devices that run their services using the ICS system are monitored by the IDS in the content delivery network. The content delivery network consists of two modules, IDS and markov model. In the second part, the content delivery network uses a Markov model module to classify devices and provide the possibility or probability of transferring the devices to virtual honeypot devices. The markov model module of the content delivery network also helps to reduce the false alarm rate of intrusion detection systems. In the third part, the virtual honeypot device monitors the malicious devices, generates log files of the activities of the attackers and stores the log files in an attack database. The attack database is used for preventing future unknown attacks from occurring, so that the system is more adaptive. The application can also recover legal edge devices from the virtual honeypot devices based on probabilities generated by the markov model module.
Generally, an ICS system includes an HMI (Human Machine Interface), an engineer station, a remote diagnostic tool, a database, a controller, a sensor, and an actuator. Communication between these components relies on industrial network protocols. The HMI is used to monitor the controlled process and can display historical status information. Sensors and actuators are typically deployed on the ICS site, while controllers may be deployed in VMs of the industrial cloud; additionally, the engineer station, HMI, and remote diagnostic tool may all be deployed in VMs of the industrial cloud. The engineer station is used to configure control algorithms and adjust control parameters. Remote diagnostic tools are used to prevent, identify and recover from abnormal conditions, or to diagnose and repair faults. The controller may be implemented by a PLC for controlling the industrial process. Sensors (e.g., temperature and pressure sensors) can monitor and collect data in real time, and actuators (e.g., valves, motors, and switches) execute controller commands. The industrial network protocol is a network protocol, such as Modbus/TCP, by which the controller communicates with sub-controllers, engineer stations, human machine interfaces HMI, actuators, or sensors. The control process of an ICS control loop mainly comprises the transmission of measurement data from sensors to a controller, and the collection and transmission of control data from the controller to an actuator. Subsequently, the sensor collects new measurement data according to the control process and transmits the measurement data to the controller again, forming a closed-loop control. In industrial production areas, controlled processes are typically run continuously over a period of several milliseconds to several days. It can be seen that the serious consequences of these control data and measurement data, if tampered with in the event of a network attack, are immeasurable.
Fig. 2 is a schematic diagram of deployment of an industrial cloud-based industrial security framework system, where the industrial cloud may be based on RT Hypervisor (real-time Hypervisor), and the industrial cloud may be located in a geographic area of an enterprise. Or within the scope of enterprise Intranet, the method is mainly used for deploying the industrial control network security framework module and the application or subsystem of the ICS system, and the like, wherein the security framework module is deployed on a cvm (control VM), and the application or subsystem of the ICS system may be deployed on the VM. After the industrial cloud deployment is completed, a user can pay attention to and control the production flow of a factory and the running state of equipment in real time through a plurality of terminal modes of a computer, a tablet and a mobile phone.
In the present application, devices in ICS can be classified into four categories: legal Device ld (legacy Device), sensitive Device sd (sensitive Device), hacked Device UD (Under-attack Device) and hacked Device hd (hacked Device). LDs are those devices that use the rights they own in the correct way and never attempt to break the security of the ICS system. SDs are devices that send few false data points to the ICS system (SDs may inadvertently send spurious data, or may be attacked by some amateur hackers, but careful monitoring is required for such devices), amateur hackers are not well trained, but can launch attacks that affect the ICS overall system, such as breaking passwords, sending many authenticator requests. UDs are devices subject to professional hacking and must be protected immediately; professional hackers are well-trained hackers that launch very badly-impacting cyber attacks on the ICS system, which can be system-level, that can block the entire application. HD is the device that, according to the IDS prediction, is being hacked and sends successive fake data to the ICS system, which, if kept active, needs to be transferred to the virtual honeypot device in order to be able to successfully predict the path to the attacker.
Fig. 3 is a schematic diagram of an industrial cloud-based industrial safety framework system. It presents the industrial control network security framework proposed in the present application, which includes the content delivery network. The content delivery network comprises an intrusion detection and defense system module, a hidden Markov model module and a delivery strategy module, and is responsible for real-time intrusion detection of each ICS device, probability of moving in or out of the virtual honeypot device based on prediction of the hidden Markov model module and data delivery between the devices based on the delivery strategy module. The intrusion detection and defense system module is responsible for monitoring all devices of the ICS system, including a misuse-based intrusion detection system MIDS, an anomaly-based intrusion detection system AIDS and a network-based intrusion detection system NIDS. The hidden Markov model module classifies all devices of the ICS system and provides probabilities of transferring attacked devices into and out of virtual honeypot devices. The delivery strategy module comprises a safe credible strategy, a load balancing strategy and a near delivery strategy. The safe and credible strategy delivers the data collected by the ICS device to the safe and credible LD device so as to ensure the safety and reliability of the data and prevent the content of the data from being tampered. And the load balancing strategy is used for balancing the load of all the devices of the available ICS system and delivering the computing task to the LD device with light load. And the nearby delivery strategy delivers the data to the latest or next-latest LD equipment, so that the real-time requirement of the ICS system is met. Furthermore, the virtual honeypot device is responsible for monitoring devices in the virtual honeypot device, generating log files of malicious ICS devices, updating an attack database, generating intrusion detection rules, and synchronizing the intrusion detection rules to an intrusion detection and defense system module of a content delivery network.
The security framework shown in fig. 3 enables identification of malicious devices, making the ICS system more adaptive in nature. When a hacking path of a particular type of device is detected, the ICS system becomes adaptive, being stored in an attack database, so that this situation can be prevented from happening again in the future. In the present application, data delivery between all devices is performed through a content delivery network located in the ICS environment, and the content delivery network contains a plurality of delivery policies, such as a secure trusted policy, a load balancing policy, a near delivery policy, and the like. The safe and credible strategy delivers the data to safe and credible equipment so as to ensure the safety and reliability of the data, prevent the content from being tampered and the like; the load balancing strategy is used for balancing the load of available ICS equipment resources, and computing tasks can be delivered to the equipment with light load. The nearby delivery policy delivers data to the most recent or next most recent device of the ICS system. When a service request is made on the ICS, the content delivery network will provide the service to the LD device application under constant monitoring by the IDS.
When the IDS detects any network attack, it generates an attack alarm and triggers intrusion detection on the ICS device. The IDS sends the device identification and attack category to Markov 1. Markov1 is a Markov model of intrusion detection for a computing device and its attack category probabilities. Markov2 is a markov model that predicts whether a device should be transferred to a virtual honeypot device based on information sent by markov 1. The content delivery network continuously monitors the activity of each device and updates the transition probability matrix values for the devices using Markov 1. The ICS device moved to the virtual honeypot device is continuously monitored. If an LD is detected on the virtual honeypot device, the device's LDP (marginal device Probasic) is calculated using markov3 and the value is sent markov 4. Markov3 is a first order Markov model for the virtual honeypot device and Markov4 is a second order Markov model for the virtual honeypot device. Markov4 predicts whether to move the device back to the LD state. At the same time, it monitors all activities of the HD and generates a log file at the end. All log files are saved in the attack database. The attack database helps the content delivery network to prevent this type of attack from occurring in the future.
The content delivery network directs data delivery requests for each ICS device to legitimate devices, which monitor the activity of each device by using the deployed IDS. The IDSs of the content delivery network may be a combination of various types of IDSs, such as misuse-based intrusion detection systems (MIDS), anomaly-based intrusion detection systems (AIDS), and network-based intrusion detection systems (NIDS). The MIDS analyzes all device activities and generates an attack alert if any device abuses its rights. AIDS analyzes the activity of all devices and generates an attack alert when certain abnormal behavior is detected by the device. NIDS analyzes the flow of ICS industrial control network, and generates attack alarm when finding network congestion.
Utilizing a Markov model module embedded in the content delivery network can help the content delivery network identify malicious devices based on requests for device delivery data and data generated by the IDS system. When an attack is initiated on a device, the IDS generates an attack alert and sends the detected device information to a Markov model module of the content delivery network. The markov model predicts whether a device should be transferred to a virtual honeypot device based on information from the intrusion detection system IDS, see the workflow diagram for intrusion detection given in fig. 4. A first order Markov model (Markov 1) predicts device classes and probabilities of being moved to virtual honeypot devices from the IDS generated output. The second order Markov model (Markov 2) decides whether to remove a device on a virtual honeypot device based on the device class and the probability of movement of the device.
The virtual honeypot device is responsible for generating log files of malicious device activities, unlike firewalls or IDSs, which do not provide attack protection, but are able to detect attack paths and generate network attack log files. The log files are stored in an attack database and the content delivery network uses intrusion detection rules generated by these files to detect the same type of attack that will occur in the future. The virtual honeypot device is also responsible for finding LDs on the virtual honeypot device that were mismoved in due to a false positive. To be able to detect LDs on the virtual honeypot device, a honeypot second order markov model is utilized.
The virtual honeypot device monitors malicious devices and identifies the LD mistakenly entering the virtual honeypot device. The virtual honeypot device monitor measures each activity of a malicious device and sends its results to a log file generator. Here, the log file generator generates a log file of malicious device activities and saves it to the attack database. The attack database helps to prevent unknown attacks in the future and is thus adaptive. When a monitored malicious device is detected as an LD by the monitor of the virtual honeypot device, its LDP is immediately calculated with markov 3. Markov4 then decides whether to move the device back on LDP basis.
Fig. 5(1) is a schematic diagram of a first-order markov general transition diagram of an industrial cloud-based industrial safety framework system, and fig. 5(2) is a schematic diagram of a second-order markov general transition diagram of an industrial cloud-based industrial safety framework system. Using kalman filtering, linear filtering and non-linear filtering techniques in probability theory and statistics, there are real world important outcomes for predicting the future. The markov model predicts the probability of future outcomes from the current outcomes of the system rather than past activities. The performance of the Markov model is improved by using the hidden Markov model. The model is able to predict the next state of a hidden state system, which a markov model cannot predict. The present application employs hidden markov models to detect future behavior of a device. It also decides under what circumstances whether to remove a device on the virtual honeypot device, since legitimate devices may be hacked with or without the help of other devices at any time. The two-stage markov model of the present application analyzes the characteristics of each device when an intrusion detection system generates an attack alert to the operation of the device (the terminology of the markov model is as follows in table 1).
Applying a conventional IDS can generate a large number of false positives, as multiple ICS devices deliver different types of data to the device for computation. Therefore, the method and the device can also reduce the false alarm rate of the traditional IDS so as to make the method and the device more effective. When malicious activity on the device is detected by the IDS, an attack alert is generated and the device identification and attack type are sent to the two-stage Markov model. The two-stage markov model detects malicious devices in two separate passes. First, markov1 classifies devices using a markov model and calculates a removal probability sp (shifting probability) thereof. Next, these outputs are sent to Markov2, for Markov2, depending on the SP of the device and the type of attack, there is a hidden Markov model that predicts whether the device must be moved to a virtual honeypot device. Likewise, legitimate devices will recover from the virtual honeypot device and will be erroneously transferred to the virtual honeypot device due to any successive false positives of the IDS.
The removal of a Device depends on its SP or legal Device probability ldp (legal Device probability), which may be calculated by Markov1 or Markov3, respectively. The viterbi algorithm (viterbi algorithm) of the present application predicts these values. Markov1 or markov3 and markov2 or markov4 use general transition diagrams, respectively, as shown in fig. 5(1) and fig. 5 (2). The transition diagrams for each device will vary due to the different behavior of the device, and these transition diagrams will be updated by the viterbi algorithm after each activity of the device. The viterbi algorithm in the hidden markov model calculates the probability of all hidden states from the sequence of activities or discharges performed by the user. Algorithm 1 below illustrates the step of the viterbi algorithm identifying a malicious device from a sequence of requests generated by the malicious device. The viterbi algorithm is an example of dynamic programming that uses the same pattern as the forward back algorithm. The viterbi algorithm differs from the forward back-off algorithm mainly in two cases: (1) the Viterbi algorithm uses a maximization function to replace a summation function in a forward backward algorithm; (2) the viterbi algorithm stores the values of the maximization function in a matrix that is read during the backtracking process to select the best sequence.
Suppose that(i) Given the maximum probability that a device will end state i with a sequence of requests of length t, which will result in the first t observation of a hidden Markov model, one can define(i) The following were used:
(i)=max{P(q(1), q(2), …, q(t-1); O(1), O(2),…, O(t)∣q(t)=)}
the idea for performing the viterbi algorithm is given below.
Algorithm 1 provides all the steps involved in computing the output state from the input requests of the device. The first step gives the initialization of all the variables of the algorithm, i.e. the likelihood probabilities and the memory matrix. The second step is a recursive step that calculates the probability of likelihood for each input provided by the device. It also stores the calculated probabilities into a matrix of all parameters. This recursive step is terminated according to the termination conditions described in step iii. And after the termination condition is reached, performing a backtracking step shown in the step IV, and finding the most suitable output state of the equipment according to all input requests provided by the equipment.
Here, the first and second liquid crystal display panels are,(i) indicating the probability of the edge device ending in state i based on the length t of the input request.Is the initial state probability for state i.(O (t)) represents the probability that the output is O (t) if the initial state is i.The representation is the transition probability from state i to state j.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention; all equivalent changes and modifications made according to the present invention are considered to be covered by the scope of the present invention.

Claims (2)

1. The industrial control safety framework system based on the industrial cloud is characterized in that the safety of industrial control network data communication is protected, and the system further comprises a content delivery network;
the content delivery network comprises an intrusion detection and defense system module, a hidden Markov model module and a delivery strategy module, and is responsible for real-time intrusion detection of each ICS device, prediction of probability of moving in or out of a virtual honeypot device based on the hidden Markov model module and data delivery between the devices based on the delivery strategy module;
the intrusion detection and defense system module is responsible for monitoring all devices of an ICS system, including an intrusion detection system MIDS based on misuse, an intrusion detection system AIDS based on abnormity and an intrusion detection system NIDS based on a network;
the hidden Markov model module classifies all the devices of the ICS system and provides the probability of transferring the attacked device into the virtual honeypot device and the probability of transferring the attacked device out of the virtual honeypot device;
the delivery strategy module comprises a safe credible strategy, a load balancing strategy and a near delivery strategy;
the safe and credible strategy delivers the data collected by the ICS equipment to the safe and credible LD equipment so as to ensure the safety and reliability of the data and prevent the content of the data from being tampered;
the load balancing strategy is used for balancing the load of all the devices of the available ICS system and delivering the computing task to the LD device with light load;
and the nearby delivery strategy delivers the data to the latest or next-latest LD equipment, so that the real-time requirement of the ICS system is met.
2. The industrial cloud-based industrial safety framework system of claim 1, wherein the virtual honeypot device is responsible for monitoring devices in the virtual honeypot device, generating log files of malicious ICS devices, updating an attack database, generating intrusion detection rules, and synchronizing to an intrusion detection and defense system module of a content delivery network.
CN201911421230.4A 2019-12-31 2019-12-31 Industrial control safety framework system based on industrial cloud Pending CN111338297A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911421230.4A CN111338297A (en) 2019-12-31 2019-12-31 Industrial control safety framework system based on industrial cloud

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911421230.4A CN111338297A (en) 2019-12-31 2019-12-31 Industrial control safety framework system based on industrial cloud

Publications (1)

Publication Number Publication Date
CN111338297A true CN111338297A (en) 2020-06-26

Family

ID=71183521

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911421230.4A Pending CN111338297A (en) 2019-12-31 2019-12-31 Industrial control safety framework system based on industrial cloud

Country Status (1)

Country Link
CN (1) CN111338297A (en)

Similar Documents

Publication Publication Date Title
Zolanvari et al. Machine learning-based network vulnerability analysis of industrial Internet of Things
EP3528459A1 (en) A cyber security appliance for an operational technology network
US10637888B2 (en) Automated lifecycle system operations for threat mitigation
US9197652B2 (en) Method for detecting anomalies in a control network
Fillatre et al. Security of SCADA systems against cyber–physical attacks
US20140298399A1 (en) Apparatus and method for detecting anomality sign in controll system
Kreidl et al. Feedback control applied to survivability: a host-based autonomic defense system
Haslum et al. Fuzzy online risk assessment for distributed intrusion prediction and prevention systems
Chen et al. A Model-based Approach to Self-Protection in {SCADA} Systems
US20190182272A1 (en) Probing and Responding to Computer Network Security Breaches
Januário et al. Security challenges in SCADA systems over Wireless Sensor and Actuator Networks
Chen et al. Towards realizing self-protecting SCADA systems
Zhou et al. A unified architectural approach for cyberattack-resilient industrial control systems
Lakhno et al. Development of a support system for managing the cyber security of information and communication environment of transport
US20170024983A1 (en) System and method for tamper detection on distributed utility infrastructure
Al Baalbaki et al. Autonomic critical infrastructure protection (acip) system
Hasan et al. Artificial intelligence empowered cyber threat detection and protection for power utilities
CN111224973A (en) Network attack rapid detection system based on industrial cloud
Mozaffari et al. Learning based anomaly detection in critical cyber-physical systems
Zhang et al. Investigating the impact of cyber attacks on power system reliability
CN111338297A (en) Industrial control safety framework system based on industrial cloud
Appiah-Kubi et al. Decentralized Intrusion Prevention (DIP) Against Co-Ordinated Cyberattacks on Distribution Automation Systems
US20200218221A1 (en) A threat detection system for industrial controllers
Chen et al. Model-based autonomic security management for cyber-physical infrastructures
Cazorla et al. Awareness and reaction strategies for critical infrastructure protection

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination