CN116975867A - Attack detection and tracing method and system based on code data fusion - Google Patents
Attack detection and tracing method and system based on code data fusion Download PDFInfo
- Publication number
- CN116975867A CN116975867A CN202311098027.4A CN202311098027A CN116975867A CN 116975867 A CN116975867 A CN 116975867A CN 202311098027 A CN202311098027 A CN 202311098027A CN 116975867 A CN116975867 A CN 116975867A
- Authority
- CN
- China
- Prior art keywords
- variable
- attack
- program
- plc
- scada
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 63
- 238000000034 method Methods 0.000 title claims abstract description 45
- 230000004927 fusion Effects 0.000 title claims abstract description 22
- 230000007704 transition Effects 0.000 claims abstract description 48
- 230000002159 abnormal effect Effects 0.000 claims abstract description 35
- 230000001419 dependent effect Effects 0.000 claims abstract description 13
- 238000013507 mapping Methods 0.000 claims abstract description 13
- 238000012544 monitoring process Methods 0.000 claims description 18
- 230000006870 function Effects 0.000 claims description 15
- 230000005856 abnormality Effects 0.000 claims description 7
- 238000012546 transfer Methods 0.000 claims description 7
- 230000003068 static effect Effects 0.000 claims description 4
- 238000010276 construction Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 claims description 3
- 230000014509 gene expression Effects 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 claims description 3
- 239000002243 precursor Substances 0.000 claims description 3
- 230000001105 regulatory effect Effects 0.000 claims description 3
- 235000008694 Humulus lupulus Nutrition 0.000 claims description 2
- 230000007423 decrease Effects 0.000 claims description 2
- 230000006399 behavior Effects 0.000 description 21
- 239000013598 vector Substances 0.000 description 19
- 230000008569 process Effects 0.000 description 9
- 230000006854 communication Effects 0.000 description 8
- 238000004891 communication Methods 0.000 description 7
- 230000008859 change Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000011835 investigation Methods 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 239000010752 BS 2869 Class D Substances 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005094 computer simulation Methods 0.000 description 1
- 230000001186 cumulative effect Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000004540 process dynamic Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000003989 repetitive behavior Effects 0.000 description 1
- 208000013406 repetitive behavior Diseases 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/25—Fusion techniques
- G06F18/253—Fusion techniques of extracted features
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/02—Total factory control, e.g. smart factories, flexible manufacturing systems [FMS] or integrated manufacturing systems [IMS]
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Life Sciences & Earth Sciences (AREA)
- Artificial Intelligence (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Programmable Controllers (AREA)
Abstract
The application discloses an attack detection and tracing method and system based on code data fusion. The application is based on the SCADA system in the industrial control system to acquire the history variable record, and constructs the finite state machine of the industrial control system under normal working conditions by defining the system state, state transition and state transition period; and detecting the abnormal state of the PLC in real time by checking the real-time variable record and the finite state machine. Constructing a control program variable dependent path based on a PLC instruction table language; and designing suspicious attack weights of the PLC program variables, and constructing a tracing path based on the mapping relation between the SCADA variable records and the PLC program variables. The application is non-invasive at all stages; the real-time requirements of an industrial control system are met in the data acquisition and detection tracing time, and compared with various detection systems, the real-time requirements of the industrial control system can be tightly combined with the physical semantics of the system, and each state and each transition objectively map the physical semantics of the system.
Description
Technical Field
The application relates to the field of intrusion detection of industrial control systems, in particular to an attack detection and tracing method and system based on code data fusion.
Background
The Programmable Logic Controller (PLC) is one of the most widely used medium and small control systems in the industrial control system on site, is directly connected with a sensor and an actuator of a controlled system, completes real-time control through preset control logic, is core control equipment of a site control layer, and has important value for site protection of the industrial control system. The PLC itself is designed with hysteresis on protection means such as security verification and communication data encryption, so that an attacker can modify the PLC memory by utilizing vulnerable points such as industrial control protocols, and change the physical process state, thereby causing serious security events such as Stuxnet attacks. In order to quickly find out the abnormal operation state of the system, a corresponding intrusion detection system is required to be designed aiming at the specific working environment of the PLC, and meanwhile, specific attack point tracing is required to guide an operator to locate an attack vector, isolate the attack influence and restore the normal operation of the industrial control system.
Existing intrusion detection methods for industrial control systems are generally designed from two aspects: 1) Detecting abnormal communication behaviors mainly in aspects of network components, network protocols, communication processes and the like by using a misuse principle based on the detection of the communication behaviors; 2) Based on the physical process dynamic detection, system physical data is used as a monitoring object, and abnormal data behaviors are often detected based on a physical process normal behavior model. The existing intrusion detection for an industrial control system has single modeling means for the system, lacks attention to the whole controlled system, and is difficult to support the attack traceability requirement after attack detection; meanwhile, the existing detection means lack a joint design of real-time intrusion detection and attack tracing, especially lack of attack tracing at a control code level, and are difficult to support the rapid recovery of the normal behavior state of an attacked system, so that the attack influence is not facilitated to be reduced.
Disclosure of Invention
The application aims to provide an attack detection and tracing system based on code data fusion, which is applicable to intrusion detection and tracing scenes of an industrial control system. The method is oriented to the scene that a programmable logic controller (Programmable Logic Controller, PLC) in an industrial control system is attacked, and has good detection and tracing effects on abnormal states and attack points of the system. The method is based on the SCADA system to acquire a history variable record, utilizes a finite state machine to construct a normal working condition model of the industrial control system, and simultaneously detects the abnormal state of the PLC in real time by checking the real-time variable record and the normal working condition model. The application builds a control program variable dependent path based on a PLC instruction table language by utilizing a static program analysis technology, designs suspicious attack weights of PLC program variables, and builds a tracing path from a PLC abnormal state to the suspicious attack variables based on a mapping relation between SCADA variable records and the PLC program variables. The attack detection and tracing system using the method has the advantages that the real-time detection meets the requirements of the industrial control system, the system is non-invasive, the normal and stable operation of the industrial control system is not affected, and the like.
The application aims at realizing the following technical scheme:
the application provides an attack detection and tracing method based on code data fusion, which is applied to safety monitoring of an industrial control system and comprises the following steps:
s1: acquiring a control program of a PLC in an industrial control system and historical record data of an SCADA monitoring system, and acquiring an SCADA real-time variable record by utilizing an OPC UA;
s2: taking a history variable record of the SCADA monitoring system as input, identifying the system state and state transition, constructing a system finite state machine under normal working conditions, and accessing a mapping relation between the SCADA variable record and a PLC program variable from a bottom database of SCADA monitoring software;
s3: based on a PLC control program, extracting a program variable dependency relationship by utilizing a static program analysis technology;
s4: in the data space, based on SCADA real-time variable record, comparing with a system finite state machine under normal working conditions, identifying abnormal states and abnormal state transition of the system, and completing attack detection;
s5: based on system abnormality detected by an attack detection mechanism in a code space, constructing a suspicious attack tracing chain according to a program variable dependency relationship and a mapping relationship between SCADA variable records and PLC program variables, identifying suspicious attack weights, and carrying out attack tracing.
Further, in S2, log= { v is recorded as SCADA system variable 1 ,v 2 ,…,v m The input (m variables are included), and any variable v is taken as input m Discretizing into unified value space J m Form a complete system state spaceSimultaneously, the system state is built by combining the system operation rule and physical state constraint and unifying the variables, so that the normal state of the actual abstract system is far smaller than +.>
Further, in S2, a variable record u at the ith moment of the SCADA system is defined i ={v i1 ,v i2, ,…,v im The variable record u of adjacent time is defined as state i →u i+1 Defining the time interval of the same state transition as a state transition period for the state transition; taking the SCADA history variable record as input, and constructing a finite state machine under normal working conditions: and taking the system starting state as the state machine initial state and any other states as the receiving states, establishing state transition continuous edges between the corresponding states and recording the time intervals of the same continuous edges.
Further, in S2, variable records are automatically accessed from the underlying database of the SCADA monitoring software, recursively constructing the finite state machine and supporting new states, new state transitions, and online updates of new state transition cycles.
Further, in S3, a PLC basic instruction table programming language is oriented, register assignment operation is used as a core, and a dependency relationship between PLC program variables is constructed; specifically, for a PLC non-jump instruction, a transfer function D { Reg/Var } is designed to describe the direct dependence of a register storage variable Reg on a related operation variable Var before and after the execution of the PLC instruction; aiming at a PLC jump instruction, describing the dependency relationship between transfer functions D { Reg/Var } before and after program jump; for a PLC function call instruction, the dependency relationship between the actual parameter D { parameter } and the form parameter D { parameter } of the called function is described.
Further, in S4, the SCADA variable record at any time is discretized into a value space J m And generating system state, state transition and state transition period, and detecting attack on line in real time by comparing with the finite state machine of the system under normal working condition.
Further, in S5, based on the PLC program variable dependency, an attack variable traceability graph G (V, E) of the PLC program is established, wherein V defines all PLC program variables, and E defines all dependency relationships between program variables; aiming at the variable set V, according to a PLC variable definition rule, identifying all variables in a program by using a regular expression; for the continuous edge set E, adding or eliminating variable dependence on all program instructions according to a code execution sequence, specifically, for any instruction s, solving a precursor output register dependence set of the instruction s by register and obtaining an input dependence relationship of the instruction s; if instruction s * If the write behavior taking the program variable Var as a destination address exists, adding all input dependent variables of the instruction s to a dependent edge set of the program variable Var; and continuously analyzing the PLC program instruction until the instruction set to be analyzed is empty.
Further, in S5, after the system abnormality is found from the SCADA variable record, the abnormal program variable Var is automatically located according to the mapping relationship between the SCADA variable record and the PLC program variable a Tracing the influence propagation path of the attack variable according to the attack variable tracing graph G (V, E), specifically a recursion identification node Var a Constructing a suspicious attack traceability chain.
Further, in S3.2, the suspicious attack weight W of the program variable node n is defined in the face of a plurality of suspicious attack variables which may exist n ,
Wherein D is n Defining node n to exception variable Var a Is dependent on the network of (a)Lai Tiaoshu the number of the individual pieces of the plastic,define all exception procedure variable sets that have a dependency relationship with node n,>defining a normal variable set with a dependency relationship with a node n, and regulating the duty ratio of normal/abnormal variables to tracing weights in different systems by a parameter alpha; distance exception program variable Var a The closer node n has a higher probability of being an attacked variable because the influence of the attacked variable decreases as the condition increases; the higher the probability that node n, which affects more abnormal program variables, is an attacked variable; according to suspicious attack weight W of each program variable node n n And outputting the suspicious attack tracing path sequence according to the weight magnitude.
The application also provides an attack detection and tracing system based on code data fusion, which is non-invasive on-line undisturbed heat deployment and comprises the following modules:
and a data acquisition module: acquiring a control program of the PLC and a history record and a real-time record of the SCADA monitoring system;
the system state construction module: automatically building an industrial control system behavior under normal working conditions, wherein the industrial control system behavior comprises the following submodules: (i) Constructing a finite state machine model of the behavior of the industrial control system based on SCADA data records, (ii) abstracting the dependency relationship among program variables based on the PLC control program;
attack detection and tracing module: the SCADA monitoring system real-time data record based on the data acquisition module identifies the system state, state transition and state transition period; identifying the abnormality of the industrial control system by comparing the finite state machines of the system under the normal working condition; based on the mapping of SCADA variable records and PLC program variables and the dependency relationship among the PLC program variables, the attacked path corresponding to the abnormal state of the system is traced.
The beneficial effects of the application are as follows:
the method is used as an intrusion detection system and can be tightly combined with the physical semantics of the system, and each state and transition objectively map the physical semantics of the system.
The method selects SCADA history records for modeling of the finite state machine, but does not abstract the finite state machine of the system at the code level, so that the method is a more reasonable choice for real-time performance of industrial control intrusion detection and description of the real running state of the system. After the abnormal state is detected, the system backtracks from the abnormal program variables, can extract the affected physical quantity, the program variable set represented by the component and all the dependency sets of the set, provides references for subsequent program attack point investigation, realizes attack tracing at the control program level, and can provide effective references for operators to quickly locate attack points and exclude threats.
According to the application, the normal behavior modeling of the industrial control system is carried out according to the SCADA historical record value and the PLC control program, the original control system is not required to be changed, and the normal operation of the system is not influenced in the deployment and use process.
Drawings
FIG. 1 is a schematic diagram of an intrusion detection and tracing system architecture according to an embodiment of the present application;
fig. 2 is a schematic diagram of attack tracing provided in the embodiment of the present application;
fig. 3 is a schematic diagram of cumulative time consumption of communication, intrusion detection and attack tracing according to an embodiment of the present application.
Detailed Description
For a better understanding of the technical solution of the present application, the following detailed description of the embodiments of the present application refers to the accompanying drawings.
It should be understood that the described embodiments are merely some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terminology used in the embodiments of the application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
The application provides an attack detection and tracing method based on code data fusion.
In one embodiment, the implementation flow of the attack detection and tracing method based on code data fusion is shown in fig. 1, and the intrusion detection and tracing system designed by the method utilizes a wide SCADA system, OPC UA protocol, control program and the like in a PLC working environment to acquire data in physical space and program space. The intrusion detection and tracing system mainly comprises two stages of industrial control system modeling and abnormal behavior detection: in the modeling stage, a normal working condition model of the system in a data space is built based on SCADA monitoring records, and a variable dependency relationship of the system in a code space is built based on a control program; and in the detection stage, the OPC UA is utilized to acquire a real-time variable record of the SCADA system, detect the abnormal state of the system and trace the source of the attacked variable.
The specific use of the method is described below by taking a physical elevator system and a matched workstation system thereof as examples, and the method is based on a SCADA system, acquires the physical state of the system and establishes an intrusion detection algorithm to provide tracing starting point information for attack tracing; based on a PLC control program, acquiring a program variable dependency relationship and establishing an attack variable tracing mechanism.
And detecting system attack and tracing back all possible program variable attack points from abnormal system states by using the established industrial control system state machine and control program variable dependence.
The method specifically comprises the following steps:
step 1: the intrusion detection and tracing system is deployed in a local area network where the SCADA of the elevator system is located, a variable history record of the elevator system under normal working conditions is obtained by accessing a SCADA system database, and an instruction sheet program executed by the intrusion detection and tracing system is obtained by accessing a PLC;
step 2: based on the historical variable record of the SCADA monitoring system, identifying the system state and state transition, and establishing a normal working condition model of the controlled physical process by using a finite state machine;
log = { v recorded as SCADA system variable 1 ,v 2 ,…,v m The input (m variables are included), and any variable v is taken as input m Discretizing to J m Form a complete system state spaceSimultaneously, by combining the system operation rule and physical state constraint, a unified system state is constructed by all variables, and the actual abstract normal state of the system is far smaller than +.>
Definition SCADA System variable record u at the ith time i ={v i1 ,v i2, ,…,v im The variable record u of adjacent time is defined as state i →u i+1 For state transitions, the time interval of the same state transition is defined as the state transition period. Taking the SCADA history variable record as input, and constructing a finite state machine under normal working conditions: and taking the system starting state as the state machine initial state and any other states as the receiving states, establishing state transition continuous edges between the corresponding states and recording the time intervals of the same continuous edges.
When a finite state machine under normal working conditions is constructed, automatically accessing variable records from a bottom database of SCADA monitoring software, wherein the variable records accessed from the bottom database comprise one-to-one mapping relations between SCADA variable records and PLC program variables, and each history variable record is used as a record with the function ofThe state nodes of the finite state machine construct a model state set by record, and for each state traversed, the state nodes are added to the state set if the state nodes are not in the state set. Adjacent different variable records, e.g. u i ={v i1 ,v i2 ,…v im Sum u i+1 ={v (i+1)1 ,v (i+1)2 ,…v (i+1)m Then generate variable record corresponding state s i And s j State transition s of (2) i →s j It is added to the state transition set. Note that there are multiple identical state transitions in the history, representing repetitive behavior of the industrial control system due to program logic and conventional input environment, in the same manner as the last recorded state s for recording the normal time range of the transition process i Different states s j When this occurs, the timing record is started until the next different state s k Recording the end of the time, judging whether the state transition is at the extreme value of the time lengthWithin the range, otherwise the duration range of the state transition needs to be updated. The method recursively builds a finite state machine to build a normal working condition model of the controlled physical process, and the model supports a new state, new state transition and online updating of a new state transition period.
In this embodiment, a state machine model of the elevator system is constructed based on variable records (each record monitors 46 key input-output sites) within 2 hours of the SCADA system. The 46 key input output site historian data records are value space partitioned (e.g., the logic quantity states are partitioned into 0 and 1). The state number of the elevator system shows gradual convergence with increasing recording amount and is far smaller than the theoretical maximum value, i.e. 2 46 . The elevator system working condition modeling process obtains 2008 system states and 2868 state transitions in total, and the finite state machine is used as a system basic model for intrusion behavior monitoring;
step 3: based on a PLC instruction table program, program semantic abstraction is designed according to attack traceability requirements by combining the programming language characteristics of the PLC, and dependency relations among variables are constructed. Specifically, for a PLC non-jump instruction, a transfer function D { Reg/Var } is established for describing the direct dependence of a register storage variable Reg on a related operation variable Var before and after the execution of the PLC instruction; aiming at a PLC jump instruction, describing the dependency relationship between transfer functions D { Reg/Var } before and after program jump; for a PLC function call instruction, the dependency relationship between the actual parameter D { parameter } and the form parameter D { parameter } of the called function is described. The three transfer functions form a normal state propagation model of the PLC program variable;
and establishing an attack variable traceability graph G (V, E) of the PLC program, wherein V defines all the PLC program variables, and E defines all the dependency relations among the program variables. For the variable set V, all variables in the program are identified by regular expressions according to the PLC variable definition rules. For the conjoined set E, the variable dependency D { Reg/Var } is added/removed for all program instructions in code execution order. Specifically, aiming at any instruction s, solving and merging a precursor output register dependency set of the instruction s from register to obtain an input dependency relationship of the instruction s; if instruction s * If the write behavior taking the program variable Var as a destination address exists, adding all input dependent variables of the instruction s to a dependent edge set of the program variable Var; and continuously analyzing the PLC program instruction until the instruction set to be analyzed is empty.
Step 4: and (3) performing attack detection by utilizing variable records acquired from the SCADA in real time by using an OPC UA protocol. The method constructs communication with WinCC through OPC UA interface, default variable recording period of WinCC is 500ms, so the method adopts a circulating polling mode to read real-time software recording value, and compares with established finite state machine under normal working condition.
Discretizing to a value space J for SCADA variable records at any time m And generating a system state, state transition and state transition period, and detecting the attack on line in real time by checking whether the variable is contained in a set formed by states which are not described by the model and state transitions which exceed the upper and lower limits of the recording time or not and the intrusion behavior which can be detected by the finite state machine of the system under the normal working condition. As not involving behavior recorded in normal operating mode modelsThese variables are added to the exception variable set AVars and reportementtimeerror () or other function reporting exceptions are called.
Step 5: when the system is abnormal from the SCADA variable record, the abnormal program variable Var is automatically positioned according to the mapping relation between the obtained SCADA variable record and the PLC program variable a And tracing the influence propagation path of the attack variable according to the attack variable tracing graph G (V, E), namely recursively identifying the node Var a Constructing a suspicious attack traceability chain.
And carrying out weight evaluation on all dependent variables of the abnormal variables, and determining investigation priorities of the variables. For a plurality of suspicious attack variables possibly existing, calculating suspicious attack weight W of program variable node n n ,
Wherein D is n Defining node n to exception variable Var a Is dependent on the number of hops in the network,define all exception procedure variable sets that have a dependency relationship with node n,>and defining a normal variable set with a dependency relationship with the node n, and regulating the duty ratio of normal and abnormal variables to the tracing weight in different systems by a parameter alpha, wherein the alpha parameter range is designed to be two sections, the step length is changed from 0 to 1 by 0.05 step length, the step length is changed from 1 to 20 by 1, when alpha=15, the average tracing step number and the maximum tracing step number are converged to be optimal, the average tracing step number is 4.0, and the maximum tracing step number is 25. According to suspicious attack weight W of each program variable node n n And (5) sorting the sizes, namely outputting attack tracing paths.
The attack detection and tracing of the industrial control system are completed. In the embodiment of the elevator system, 5 types of attack vectors are designed, wherein the A type attack vector attacks the aim of guiding the elevator to enter a dangerous running state, the B type attack vector aims at maliciously destroying equipment, the C type attack vector aims at guiding error information, the D type attack vector falsifies a user input instruction, and the E type attack vector carries out sensor spoofing.
The intrusion monitoring and attack tracing results of the elevator system embodiment on the designed attack vector are shown in table 1, and the evaluation indexes in the table comprise three items, namely whether the attack behavior is detected, how many steps are required to be checked according to the sequence of the tracing chain, the attack sites can be traced, and the ratio of the tracing steps to the total variable number. In the tested attack vector, the actual attack is caused to the elevator system 46 times in total, and all the detected attacks can trace the attack by a specific step number. Carrying out 24 times of different point attacks on the dangerous running state types A1-A24, wherein all the attacks except A8-A11 are successfully detected, and triggering a door closing action immediately after one elevator is in place for four attacks of A8-A11, and delaying the door closing action after the door is opened in place for three times, wherein the attacks with two door closing delays are detected; the malicious damage equipment, the error information guide and the sensor spoofing are all detected for 20 times, the user instruction is forged for 2 times of attack tests, and the forged user instruction exists in the historical record, so that the modeling related state is contained in a finite state machine and cannot be detected. In the performance of the test task, the accuracy of the system on the intrusion detection task is 91.3%, under the condition that the attack is successfully detected, all tracing chains contain attack sites, the steps required for tracing the actual attack sites are within 4 steps for the I area and the Q area according to the tracing sequence of the nodes on the attack tracing graph, and the proportion of the tracing steps of the attack vector of the M area to the total variable number is 31.25% in the extreme case. The table entries are described in terms of typical attack vectors among various attacks. The attack vector A1 carries out setting operation aiming at QO.7 sites in a door opening state to cause the rise of the elevator door opening, which can cause serious consequences of passenger falling, the SCADA variable record monitors the states outside the model during intrusion detection, wherein the sites QO.7 generate level jump when other sensors are unchanged, so the sites are traced, and the tracing step number is 1 because the sites are attack points. The attack vector B3 triggers the Q1.2 door closing control site in the door opening state, so that the motor is fiercely whistle and stops at the middle position, namely, when the Q1.1 door opening site is in the activation state, the attack vector activates Q1.2 at the same time, two sites are sequentially transmitted to the control site in the output stage according to the logic operation rule of the PLC, so that the motor is rapidly rotated forwards and backwards, and during intrusion monitoring, the states of other sites are simultaneously influenced due to attack, so that corresponding level jump is caused. The attack vector C3 lights the nixie tube to display '3' through the QO.3 locus when the elevator is at the two-layer position, so that three-layer passengers are caused to arrive by mistake as the elevator, the passengers possibly fall into the elevator shaft, and the abnormal variable change only occurs at the QO.3 locus during intrusion detection. The class-D attack vector simulates the attack behavior which is initiated by the passenger button and causes the elevator to occupy, and the attack cannot be detected because the behavior does not cause abnormal state or state transition and corresponding behavior record exists in the normal operation process of the elevator. The class E attack also attacks the location point of the area I, but because the attack location point is a sensor, for example, when the elevator of E1 is in the third floor position, the second floor in-place sensor is triggered to cause the false opening of the elevator, and no corresponding state exists in the model, the detection can be carried out.
Both the attack vectors A21 and A22 take M1.0 as attack sites, but the tracing steps are different, because the elevators are respectively in a static state and a door opening state during attack, the attack effects are respectively that the elevator ascends for a certain distance and the ascending indicator lamp is lightened, the abnormal variable set of the elevator is { QO.4 and QO.7}, an attack tracing graph is made, the tracing weights of the variables of all layers are calculated, the tracing order of the actual attack variable is 8, the abnormal variable set of the elevator is { QO.4}, and the tracing order of the actual attack variable is 3. The attack sites of the two attack vectors are consistent, but the state changes caused by the attack on the same site under different running states are different, and the abnormal variables captured by intrusion detection are different, so that the structure of the attack tracing graph and the tracing weight of each node are different, and the required steps tracing to the attack sites are finally influenced.
Table 1: intrusion monitoring and attack tracing result for designed attack vector
In an elevator system embodiment, the attack tracing paths and the corresponding tracing weight ranks are as shown in fig. 2: and constructing suspicious variable set representation by taking the monitored abnormal variable as a core and taking the dependent distance as a radius, distinguishing node weights by the length of the radius in each layer, carrying out attack investigation from inside to outside during tracing, and carrying out the lowest possibility of attack on the outermost layer which is a variable having no dependency relationship with the abnormal node.
In an elevator system embodiment, the siemens S7-300 PLC drives the elevator by executing a control program and reading/writing sensor/actuator states. The vulnerability of the current S7-300 PLC communication protocol is utilized to change the normal operation purpose of the elevator, and the elevator system is subjected to attacks such as PLC memory tampering, malicious logic triggering and the like. In 46 attacks, the positive detection rate of the method for the attacks reaches 91.3%, and the tracing result can lock the attack sites within 4 steps of the average tracing steps.
Corresponding to the embodiment of the attack detection and tracing method based on the code data fusion, the application also provides the embodiment of the attack detection and tracing system based on the code data fusion.
The application also provides an attack detection and tracing system based on code data fusion, which is non-invasive on-line undisturbed heat deployment and comprises the following modules:
and a data acquisition module: acquiring a control program of the PLC and a history record and a real-time record of the SCADA monitoring system;
the system state construction module: automatically building an industrial control system behavior under normal working conditions, wherein the industrial control system behavior comprises the following submodules: (i) Constructing a finite state machine model of the behavior of the industrial control system based on SCADA data records, (ii) abstracting the dependency relationship among program variables based on the PLC control program;
attack detection and tracing module: the SCADA monitoring system real-time data record based on the data acquisition module identifies the system state, state transition and state transition period; identifying the abnormality of the industrial control system by comparing the finite state machines of the system under the normal working condition; based on the mapping of SCADA variable records and PLC program variables and the dependency relationship among the PLC program variables, the attacked path corresponding to the abnormal state of the system is traced.
The embodiment verifies the low detection delay and undisturbed heat deployment capability of the system, the communication time consumption of real-time data acquisition is that the part with the highest time consumption proportion in the whole data acquisition process is shown in fig. 3, the abscissa is the time length, the ordinate is the time consumption time length record, the broken line is the average time consumption, the average time consumption is about 200 milliseconds, the limit time consumption is nearly 400 milliseconds, and the SCADA data recording period is still lower than 500 milliseconds.
The above-described embodiments are provided to facilitate the understanding and application of the present application by those of ordinary skill in the art. It will be apparent to those skilled in the art that various modifications may be made to the foregoing without undue burden from the person skilled in the art, and that the generic principles described herein may be applied to other aspects without the use of inventive faculty. Accordingly, the present application may be modified and changed without departing from the technical principle of the present application, and the modifications and changes should be regarded as the protection scope of the present application.
Claims (10)
1. The attack detection and tracing method based on the code data fusion is characterized by comprising the following steps:
s1: acquiring a control program of a PLC in an industrial control system and historical record data of an SCADA monitoring system, and acquiring an SCADA real-time variable record by utilizing an OPC UA;
s2: taking a history variable record of the SCADA monitoring system as input, identifying the system state and state transition, constructing a system finite state machine under normal working conditions, and accessing a mapping relation between the SCADA variable record and a PLC program variable from a bottom database of SCADA monitoring software;
s3: based on a PLC control program, extracting a program variable dependency relationship by utilizing a static program analysis technology;
s4: in the data space, based on SCADA real-time variable record, comparing with a system finite state machine under normal working conditions, identifying abnormal states and abnormal state transition of the system, and completing attack detection;
s5: based on system abnormality detected by an attack detection mechanism in a code space, constructing a suspicious attack tracing chain according to a program variable dependency relationship and a mapping relationship between SCADA variable records and PLC program variables, identifying suspicious attack weights, and carrying out attack tracing.
2. The attack detection and tracing method based on code data fusion according to claim 1, wherein in S2, log = { v is recorded by SCADA system variable 1 ,v 2 ,…,v m Using the sum of the variables recorded by SCADA as input, wherein m represents the total number of variables recorded by SCADA, and using any variable v m Discretizing into unified value space J m Form a complete system state spaceSimultaneously, the system state is built by combining the system operation rule and physical state constraint and unifying the variables, so that the normal state of the actual abstract system is far smaller than +.>
3. The attack detection and tracing method based on code data fusion according to claim 2, wherein in S2, a variable record u of the ith moment of the SCADA system is defined i ={v i1 ,v i2, ,…,v im The variable record u of adjacent time is defined as state i →u i+1 Defining the time interval of the same state transition as a state transition period for the state transition; by SCADA calendarShi Bianliang is recorded as input, and a finite state machine under normal working conditions is constructed: and taking the system starting state as the state machine initial state and any other states as the receiving states, establishing state transition continuous edges between the corresponding states and recording the time intervals of the same continuous edges.
4. The attack detection and tracing method based on code data fusion according to claim 1, wherein in S2, variable records are automatically accessed from an underlying database of SCADA monitoring software, a finite state machine is recursively constructed and supports new states, new state transitions, and online updates of new state transition periods.
5. The attack detection and tracing method based on code data fusion according to claim 1, wherein in S3, a dependency relationship between PLC program variables is constructed by using register assignment operation as a core in a PLC basic instruction table programming language; specifically, for a PLC non-jump instruction, a transfer function D { Reg/Var } is designed to describe the direct dependence of a register storage variable Reg on a related operation variable Var before and after the execution of the PLC instruction; aiming at a PLC jump instruction, describing the dependency relationship between transfer functions D { Reg/Var } before and after program jump; for a PLC function call instruction, the dependency relationship between the actual parameter D { parameter } and the form parameter D { parameter } of the called function is described.
6. The attack detection and tracing method based on code data fusion according to claim 1, wherein in S4, for SCADA variable record at any moment, discretizing into a value space J m And generating system state, state transition and state transition period, and detecting attack on line in real time by comparing with the finite state machine of the system under normal working condition.
7. The attack detection and tracing method based on code data fusion according to claim 1, wherein in S5, based on the PLC program variable dependency, an attack variable tracing graph G (V, E) of the PLC program is established, wherein VDefining all PLC program variables, and E defining all dependency relations among the program variables; aiming at the variable set V, according to a PLC variable definition rule, identifying all variables in a program by using a regular expression; for the continuous edge set E, adding or eliminating variable dependence on all program instructions according to a code execution sequence, specifically, for any instruction s, solving a precursor output register dependence set of the instruction s by register and obtaining an input dependence relationship of the instruction s; if instruction s * If the write behavior taking the program variable Var as a destination address exists, adding all input dependent variables of the instruction s to a dependent edge set of the program variable Var; and continuously analyzing the PLC program instruction until the instruction set to be analyzed is empty.
8. The attack detection and tracing method based on code data fusion according to claim 7, wherein in S5, after system abnormality is found from SCADA variable record, the abnormal program variable Var is automatically located according to mapping relation between SCADA variable record and PLC program variable a Tracing the influence propagation path of the attack variable according to the attack variable tracing graph G (V, E), specifically a recursion identification node Var a Constructing a suspicious attack traceability chain.
9. The attack detection and tracing method based on code data fusion according to claim 1, wherein in S3.2, in the face of a plurality of suspected attack variables that may exist, a suspected attack weight W of a program variable node n is defined n ,
Wherein D is n Defining node n to exception variable Var a Is dependent on the number of hops in the network,define all exception procedure variable sets that have a dependency relationship with node n,>defining a normal variable set with a dependency relationship with a node n, and regulating the duty ratio of normal/abnormal variables to tracing weights in different systems by a parameter alpha; distance exception program variable Var a The closer node n has a higher probability of being an attacked variable because the influence of the attacked variable decreases as the condition increases; the higher the probability that node n, which affects more abnormal program variables, is an attacked variable; according to suspicious attack weight W of each program variable node n n And outputting the suspicious attack tracing path sequence according to the weight magnitude.
10. A system for implementing the attack detection and tracing method based on code data fusion according to any one of claims 1-9, characterized in that the system comprises the following modules:
and a data acquisition module: the method comprises the steps of acquiring a control program of the PLC, and recording a history record and a real-time record of a SCADA monitoring system;
the system state construction module: the system is used for automatically constructing the behavior of the industrial control system under the normal working condition, and comprises the following submodules: (i) Constructing a finite state machine model of the behavior of the industrial control system based on SCADA data records, (ii) abstracting the dependency relationship among program variables based on the PLC control program;
attack detection and tracing module: the SCADA monitoring system real-time data record based on the data acquisition module identifies the system state, state transition and state transition period; identifying the abnormality of the industrial control system by comparing the finite state machines of the system under the normal working condition; and tracing an attack path corresponding to the abnormal state of the system based on the mapping of the SCADA variable record and the PLC program variable and the dependency relationship among the PLC program variables.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311098027.4A CN116975867A (en) | 2023-08-29 | 2023-08-29 | Attack detection and tracing method and system based on code data fusion |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311098027.4A CN116975867A (en) | 2023-08-29 | 2023-08-29 | Attack detection and tracing method and system based on code data fusion |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116975867A true CN116975867A (en) | 2023-10-31 |
Family
ID=88476767
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311098027.4A Pending CN116975867A (en) | 2023-08-29 | 2023-08-29 | Attack detection and tracing method and system based on code data fusion |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116975867A (en) |
-
2023
- 2023-08-29 CN CN202311098027.4A patent/CN116975867A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Khan et al. | HML-IDS: A hybrid-multilevel anomaly prediction approach for intrusion detection in SCADA systems | |
| CN107786369A (en) | Based on the perception of IRT step analyses and LSTM powerline network security postures and Forecasting Methodology | |
| CN105807631B (en) | Industry control intrusion detection method and intruding detection system based on PLC emulation | |
| CN109308411B (en) | Method and system for hierarchically detecting software behavior defects based on artificial intelligence decision tree | |
| Moukahal et al. | Vulnerability-oriented fuzz testing for connected autonomous vehicle systems | |
| CN110245085B (en) | Embedded real-time operating system verification method and system by using online model inspection | |
| Kriaa et al. | A new safety and security risk analysis framework for industrial control systems | |
| CN111679657A (en) | Attack detection method and system based on industrial control equipment signals | |
| Bukowski et al. | Defining mean time-to-failure in a particular failure-state for multi-failure-state systems | |
| CN113190457A (en) | Software reliability evaluation method for networked system | |
| CN115237086A (en) | Decision support in industrial plants | |
| EP4009586A1 (en) | A system and method for automatically neutralizing malware | |
| Huang et al. | A novel collaborative diagnosis approach of incipient faults based on VMD and SCN for rolling bearing | |
| Ghorbanian et al. | Signature-based hybrid Intrusion detection system (HIDS) for android devices | |
| CN111555899B (en) | Alarm rule configuration method, equipment state monitoring method, device and storage medium | |
| US7246265B2 (en) | Method and system for automatically verifying fault hypotheses predetermined by a user | |
| CN112128950A (en) | Machine room temperature and humidity prediction method and system based on multiple model comparisons | |
| CN116975867A (en) | Attack detection and tracing method and system based on code data fusion | |
| Bodei et al. | Modelling and analysing IoT systems | |
| CN110188040A (en) | A kind of software platform for software systems fault detection and health state evaluation | |
| CN110007171A (en) | The screening method and system of transformer online monitoring data false alarm | |
| Hussain et al. | Discovering data-aware mode-switching constraints to monitor mode-switching decisions in supervisory control | |
| Hu et al. | Active diagnosis of Petri nets using Q-diagnoser | |
| KR102482353B1 (en) | Plant management method, plant design device, and plant management device | |
| JP2890815B2 (en) | Plant abnormality diagnosis device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |