KR101538709B1 - Anomaly detection system and method for industrial control network - Google Patents

Abstract

Disclosed are a system and a method for detecting an abnormal behavior for an industry control network. The system comprises: a packet learning portion for collecting packets which are transferred from the industry control network during a pre-designated normal behavior learning period, verifying a normal packet for the collected packets, and acquiring a white list, at least one individual packet model, at least one pattern library, and at least one traffic model based on the verified normal packet; a database portion for storing the white list, the individual packet model, the pattern library, and the traffic model; a packet examination portion for collecting packets which are transferred from the industry control network after the normal behavior learning period, comparing the collected packets with the white list, the individual packet model, the pattern library, and the traffic model stored in the database portion, and detecting an abnormal behavior on the industry control network; and a preprocessing portion for receiving the packets which are collected in the packet learning portion and the packet examination portion, and preprocessing the collected packets in a preset method, and transferring the collected packets to the packet learning portion and the packet examination portion.

Description

TECHNICAL FIELD [0001] The present invention relates to an abnormal behavior detection system and method for an industrial control network,

The present invention relates to an abnormal behavior detection system and method for an industrial control network, and more particularly to an abnormal behavior detection system and method for an industrial control network based on machine learning techniques.

The communication network technology has been widely spread not only in the field of information communication but also in various fields due to the rapid development of communication technology. In addition, the communication network technology, which has been widely used in various fields, is being developed in an independent form considering characteristics of each field according to the applied field.

The industrial control network among the communication networks that are individually developed for each of these fields means a communication network used in an industrial control system constructed to control industrial devices. Various communication network methods have also been proposed within the industrial control network. For example, Smart Grid and Micro Grid are examples of typical industrial control networks.

In industrial control network, unlike existing IT based network environment, the industrial control system must be able to operate normally in any case. Therefore, availability must be ensured first, and it is sensitive to data transmission time in order to improve control accuracy. That is, the control signal must be able to be transmitted at the precise time required by the user at any time.

On the other hand, the frequency of cyber attacks on industrial control systems through industrial control networks is increasing, and the enhancement of security of industrial control networks is becoming an important issue. So far, various studies have been carried out to enhance the security of industrial control networks, but most of them require redesign of protocols, installation of agents, and replacement of equipment. However, in the industrial control network considering availability as a top priority, the above-mentioned method has a problem that it is often difficult to apply to the currently operating industrial control network because it requires a shutdown for software update or replacement of equipment, In addition, there is a limitation that it can not be performed in a short period of time.

Other alternatives for security enhancement include encryption and message authentication methods, which are commonly used in general IT-based networks, but also require time for encryption and decryption and time for message authentication, There is a problem in that the application to the system is limited.

Therefore, there is a need for a security enhancement method considering the specificity of the industrial control network.

Korean Patent No. 10-1281456 discloses an industrial control system. In the SCADA (Supervisory Control and Data Acquisition) network for efficiently managing and controlling a power system such as a power transmission and distribution facility, a network traffic ) State, and judges whether the measured self-similarity exceeds a preset threshold value. However, considering only network traffic, security is still weak.

It is an object of the present invention to provide an abnormal behavior detection system for an abnormal industrial control network that can detect an abnormal behavior based infiltration without interruption of the network at low cost in an industrial control network.

Another object of the present invention is to provide an abnormal behavior detection method for an abnormal industrial control network to achieve the above object.

In order to achieve the above object, an abnormal behavior detection system for an industrial control network according to an exemplary embodiment of the present invention collects packets transmitted in an industrial control network during a predetermined normal action learning period, After verification, a packet learning unit obtains a white list, at least one individual packet model, at least one pattern library, and at least one traffic model based on the verified normal packets. A database unit for storing the white list obtained by the packet learning unit, the at least one individual packet model, the at least one pattern library, and the at least one traffic model; Collecting the packets transmitted from the industrial control network after the normal learning learning period and transmitting the collected packets to the white list, the at least one individual packet model, the at least one pattern library, A packet inspection unit for detecting an abnormal behavior on an industrial control network by comparing with at least one traffic model; A preprocessing unit for receiving the packets collected by the packet learning unit and the packet checking unit, preprocessing the packets in a preset manner, and transmitting the packets to the packet learning unit and the packet checking unit; .

Wherein the preprocessing unit includes: a common pre-processing unit for receiving and analyzing the packets from the packet learning unit and the packet checking unit in a flow / protocol unit; And preprocessing the packets classified by the common pre-processing unit in three predetermined ways to correspond to the at least one individual packet model, the at least one pattern library, and the at least one traffic model, A parallel preprocessing unit for transmitting the packet to the learning unit and the packet checking unit; And a control unit.

The parallel preprocessor may include an individual packet preprocessor for dividing the packets classified and applied by the common preprocessor into flow / protocol units and selecting and normalizing the fields of the packets; A packet pattern preprocessing unit for dividing the packets classified and applied by the common pre-processing unit into individual nodes and protocol units, and extracting a packet pattern from the received packets using a predetermined pattern search algorithm; And a data set is generated by calculating the number of packets, the average packet size, and the number of packets per protocol in a predetermined time unit so as to analyze traffic characteristics of the industrial control network from the packets classified and applied by the common pre-processing unit A traffic preprocessing unit; And a control unit.

Wherein the packet learning unit comprises: a learning packet collecting unit collecting, as a learning packet, the packets transmitted in the industrial control network during the normal behavior learning period; A packet verifying unit for inspecting the learning packets collected by the learning packet collecting unit to determine whether the packet is a learning packet acquired in a normal environment of the industrial control network; A whitelist generating unit for analyzing the learning packets verified by the packet verifying unit to obtain a rule for a normal packet, generating the whitelist from the obtained rules, and storing the generated whitelist in the database unit; And acquiring the at least one individual packet model, the at least one pattern library, and the at least one traffic model by learning the packets preprocessed by the parallel preprocessing unit in individual packet units, packet patterns, and traffic units, A learning model generation unit for storing the learning model; And a control unit.

The learning model generation unit receives a plurality of the individual packets preprocessed from the individual packet preprocessing unit, groups each received individual packet by applying an EM (Expectation Maximization) algorithm, and generates at least one individual packet An individual packet learning unit for generating each of the groups as the individual packet model through an OCSVM (One-class SVM) algorithm; A pattern library generation unit for generating characteristics and frequency of the packet pattern extracted and extracted from the packet pattern preprocessing unit as the at least one pattern library; And a traffic learning unit for grouping the data sets of the predetermined time unit applied by the traffic preprocessing unit by applying the EM algorithm and generating the at least one traffic model using the OCSVM algorithm. And a control unit.

Wherein the packet inspection unit comprises: an inspection packet collection unit for collecting the packets transmitted from the industrial control network after the normal learning learning period; A whitelist checking unit which inspects the packets collected by the inspection packet collecting unit using the white list stored in the database unit and transmits normal packets to the preprocessing unit; An inspection unit for comparing the packets preprocessed by the parallel preprocessing unit with the at least one individual packet model stored in the database unit, the at least one pattern library, and the at least one traffic model to check an abnormality; And an abnormal behavior discrimination unit for discriminating whether an abnormal behavior has occurred on the industrial control network according to the abnormality level; And a control unit.

Wherein the checking unit compares the individual packet applied by the individual packet preprocessing unit with the at least one individual packet model stored in the database unit and calculates a difference between the individual packet model and the most similar individual packet model as individual packet abnormalities; Processing unit for comparing the packet pattern applied by the packet pattern preprocessing unit with the pattern and the frequency of the at least one pattern library stored in the database unit, and calculating a pattern difference between the at least one pattern library and the previously stored pattern library, A pattern checking unit; And a traffic checker for calculating the difference between the data set applied from the traffic preprocessing unit and the most similar traffic model among at least one traffic model stored in the traffic model storage unit, in a traffic abnormal state; And a control unit.

According to another aspect of the present invention, there is provided a method for detecting an abnormal behavior for an industrial control network, the method comprising: a packet learning unit, a database unit, a packet checking unit, and a preprocessing unit, Wherein the packet learning unit collects packets transmitted in an industrial control network for a predetermined normal action learning period, and after a normal packet verification for the collected packets, generates a white list and at least one individual packet model Acquiring at least one pattern library and at least one traffic model, and storing the at least one traffic model in the database unit; And the packet inspection unit collects the packets transmitted in the industrial control network after the normal behavior learning period and transmits the collected packets to the white list and the at least one individual packet model stored in the database unit, A network testing step of detecting abnormal behavior on an industrial control network in comparison with the pattern library of the at least one traffic model and the at least one traffic model; .

The normal learning learning step comprises the steps of: the packet learning unit collecting packets transmitted in the industrial control network during the normal behavior learning period; Inspecting the packets collected by the packet learning unit to determine whether they are packets obtained in a normal environment of the industrial control network; Analyzing packets to acquire rules for a normal packet, generating the whitelist from the obtained rules, and storing the generated whitelist in the database unit if it is determined that the packets are acquired in the normal environment; The pre-processing unit receiving packets determined to be acquired in the normal environment and pre-processing the learning in a predetermined manner; And the packet learning unit receives the preprocessed packets and learns in the form of individual packet units, packet patterns and traffic units to obtain the at least one individual packet model, the at least one pattern library and the at least one traffic model Storing in the database unit; And a control unit.

The network testing step may include collecting the packets transmitted in the industrial control network after the normal behavior learning period; Inspecting the collected packets using the whitelist stored in the database unit; Receiving the packets inspected using the whitelist, and preprocessing the packets in a predetermined manner; Comparing the preprocessed packets with the at least one individual packet model stored in the database unit, the at least one pattern library, and the at least one traffic model to check for anomalies; And determining whether an abnormal behavior has occurred on the industrial control network according to the abnormality. And a control unit.

Accordingly, the system and method for detecting abnormal behavior for an industrial control network of the present invention can detect abnormal behavior in a normal operation learning step in an industrial control network by learning the normal behavior information on the whitelist, individual packet, And then in the network inspection step, the abnormal behavior search is largely improved by searching for the abnormal behavior in both the white list, the individual packet, the packet pattern, and the traffic portion using the obtained normal behavior information, And reliability can be secured.

FIG. 1 shows an example of an industrial control network to which the abnormal behavior detection system according to the present invention is applied.
2 illustrates an abnormal behavior detection system according to an embodiment of the present invention.
3 shows a detailed configuration example of the parallel preprocessing unit of FIG.
FIG. 4 shows an embodiment in which the packet pattern preprocessing unit of FIG. 3 extracts a packet pattern.
Fig. 5 shows a detailed configuration example of the learning model generation unit, the inspection database and the inspection unit of Fig.
FIG. 6 illustrates an abnormal behavior detection method according to an embodiment of the present invention.
FIG. 7 is a detailed view illustrating an abnormal behavior detection step of FIG. 6. FIG.

In order to fully understand the present invention, operational advantages of the present invention, and objects achieved by the practice of the present invention, reference should be made to the accompanying drawings and the accompanying drawings which illustrate preferred embodiments of the present invention.

Hereinafter, the present invention will be described in detail with reference to the preferred embodiments of the present invention with reference to the accompanying drawings. However, the present invention can be implemented in various different forms, and is not limited to the embodiments described. In order to clearly describe the present invention, parts that are not related to the description are omitted, and the same reference numerals in the drawings denote the same members.

Throughout the specification, when an element is referred to as "including" an element, it does not exclude other elements unless specifically stated to the contrary. The terms "part", "unit", "module", "block", and the like described in the specification mean units for processing at least one function or operation, And a combination of software.

FIG. 1 shows an example of an industrial control network to which the abnormal behavior detection system according to the present invention is applied.

1 shows an industrial control network (hereinafter referred to as a substation network) applied to a substation automation system as an example of an industrial control network. The substation network is divided into a substation level and a bay level as shown in FIG. 1, and performs communication in a mutually designated manner. The substation level has a Human Machine Interface (HMI), a main server and a backbone switch (Backbone Swithc). The HMI is provided for displaying the status of the substation system to the administrator and for receiving the control command. The main server receives and analyzes the operation information of the power facility provided at the bay level, and performs control on the bay level power facility do. And the backbone switch allows the main server to communicate with the bay level.

At the bay level, there are provided a plurality of IEDs (Intelligent Electronic Devices), which are power facilities, and at least one IED switch, which selects at least one of the plurality of IEDs so that the substation-level main server can perform communication .

IEC 61850 IDS is an IEC 61850 based Intrusion Detection System and represents the abnormal behavior detection system of the present invention. IEC 61850 is an international standard for an integrated protocol for substation automation made for international standardization in IEC TC 57. It is the most defined communication protocol in the field of power related industrial control networks so far and has been extensively used and widely used Protocol. IEC 61850 mainly uses MMS (Manufacturing Message Specification) and GOOSE (Generic Object Oriented Substation Event) protocols. MMS was developed as a mesh standard for monitoring and controlling various manufacturing equipments in industrial control field, and GOOSE was developed for communication between IEDs. However, in MMS or GOOSE, it is desirable to develop security function separately according to the user's operating environment. As in the case of IEC 61850 IDS in FIG. 1, it is common in the substation network that an abnormal behavior detection system is provided between a substation level and a bay level so as to detect an abnormal behavior. Hereinafter, an abnormal behavior detection system applied to a substation network which is a typical industrial control network will be described, but the present invention is not limited thereto.

2 illustrates an abnormal behavior detection system according to an embodiment of the present invention.

Referring to FIG. 2, the abnormal behavior detection system of the present invention includes a packet learning unit 100, a preprocessing unit 200, a database unit 300, and a packet checking unit 400.

The packet learning unit 100 is provided for analyzing a normal behavior as a basis for detecting an abnormal behavior and acquiring normal behavior information and storing the obtained normal behavior information in the database unit 300.

The preprocessing unit 200 performs a preprocessing operation to facilitate analysis in the packet learning unit 100 and the packet inspection unit 400 for a plurality of packets applied to the abnormal behavior detection system.

The database unit 300 stores the normal behavior information acquired by the packet learning unit 100. When the packet inspection unit 400 detects abnormal behavior of a packet, the packet inspection unit 400 transmits normal behavior information So that it is possible to determine whether or not the packet is abnormal.

When a plurality of packets are received through the industrial control network, the packet checking unit 400 determines whether the received packets are normal by comparing the received plurality of packets with the normal behavior information stored in the database unit 300 .

2, the packet learning unit 100 includes a learning packet collection unit 110, a packet verification unit 120, a whitelist generation unit 130, and a learning model generation unit 130. [ (140).

The learning packet collection unit 110 collects various packets transmitted in the industrial control network as learning packets during the normal behavior learning period of the abnormal behavior detection system. The normal behavior learning period can be variously set according to the field to which the abnormal behavior detection system is applied, and in the substation network, it can be set to a period of 4 weeks or more as an example for the accuracy of normal action learning. Here, the learning packet may be a packet that has not yet been verified as a normal packet, and the packet transmitted in the actual industrial control network may be used during the normal behavior learning period. This is because, unlike the general IT environment network, most of the industrial control networks use regular protocols and only limited protocols are used. Therefore, almost all packets are normal packets and can be used as learning packets except for special cases. Also, learning the normal behavior based on a plurality of actually used packets has an advantage of detecting an abnormal packet with high accuracy.

The packet verifying unit 120 inspects the packets collected by the learning packet collecting unit 110 in a predetermined manner to determine the number of error messages, the number of collision frames, the number of retransmission packets, the number of mal- , The number of packets of abnormal size, and the like. When the sum ratio of the number of abnormal packets calculated is equal to or greater than a predetermined ratio (for example, 0.01%), it is regarded that the packet is not a learning packet of a normal environment and a new packet is collected by the learning packet collecting unit 110 request.

However, if the sum ratio of the number of unacknowledged packets to the total packet is less than the predetermined ratio, it is determined that the normal packets have been collected and the collected packets are transmitted to the whitelist generating unit 130 and the preprocessing unit 200.

The whitelist generating unit 130 receives a plurality of packets verified by the packet verifying unit 120 and generates a white list based on the received plurality of packets. The whitelist is a list made up of rules that are clearly defined as normal. It consists of normal flow set based on IP / PORT in normal environment and normal message type according to control network protocol (DNP3, IEC61850, ICCP, etc.) .

In the IT-based network, a technique of detecting an attack using a database storing a blacklist is mainly used. Since the IT-based network is a network environment open to an unspecified number of users, packets and services of various protocols are utilized. Therefore, it can not be restricted to provide only a specific protocol or service. Therefore, in the IT-based network, a technique for detecting abnormal behavior that can occur later can not but be utilized based on the black list stored by analyzing the previously generated attack. However, the blacklist-based abnormal behavior detection technique can not detect a zero-day attack that utilizes an unknown vulnerability, but also detects blacklist data stored in the blacklist database whenever a new type of abnormal behavior is detected There is a burden to update.

On the other hand, the industrial control network is not a fully open environment unlike the IT network, and thus the network traffic generation is regular and only the predetermined limited protocol is used as described above. Therefore, it is more efficient to detect abnormal behavior based on whitelist that profiles normal behavior. If the whitelist-based abnormal behavior is detected, all actions not included in the whitelist are regarded as abnormal, so that even if a new type of abnormal behavior occurs, the abnormal behavior can be easily detected and responded to. In particular, when using a whitelist technique with a firewall or antivirus system, it can effectively deal with advanced attacks such as APT (Advanced Persistent Threats) attacks.

Meanwhile, the learning model generation unit 140 learns the normal behavior information on the industrial control network by learning the preprocessed and separated packets in the preprocessing unit 200 in units of individual packets, packet patterns, and traffic units. The detailed process for the learning model generation unit 140 to acquire the normal behavior information will be described later.

The pre-processing unit 200 includes a common pre-processing unit 210 and a parallel preprocessing unit 220. The common pre-processing unit 210 analyzes and classifies a plurality of packets applied from the packet verification unit 120 or the whitelist checking unit 420 in a flow / protocol unit, and transmits the packets to the parallel preprocessing unit 220.

The parallel preprocessing unit 220 includes three individual preprocessing units: an individual packet preprocessing unit, a packet pattern preprocessing unit, and a traffic preprocessing unit. Each of the three individual preprocessing units receives a packet classified by the common preprocessing unit 210, The pre-processing is performed in the method. The preprocessed packet is transmitted to the learning model generation unit 140 or the inspection unit 440. A detailed description of the three separate preprocessing units of the parallel preprocessing unit 220 will be described later.

The database unit 300 includes a whitelist database 310 and an inspection database 320. The whitelist database 310 receives and stores the whitelist generated by the whitelist generator 130 during the normal behavior learning period and transmits a whitelist according to a request from the whitelist inspector 420 at the time of searching for an abnormal behavior , So that the whitelist checking unit 420 can check the inspection packet.

The inspection database 320 stores the normal behavior information generated by the learning model generation unit 140 during the normal behavior learning period and provides the normal behavior information to the inspection unit 440 at the time of the abnormal behavior search to discriminate the abnormal behavior packet .

2, the database unit 300 includes the white list database 310 and the inspection database 320 separately. However, the white list database 310 and the inspection database 320 may include one It may be composed of a database. Also, although not shown, the database unit 300 may further include a log database (not shown) for storing log information on abnormal behavior packets determined by the packet checking unit 400. The log database can be used as basic information for analyzing various abnormal behaviors.

The packet inspection unit 400 includes an inspection packet collection unit 410, a whitelist inspection unit 420, a whitelist update unit 430, an inspection unit 440 and an abnormal behavior determination unit 450.

The inspection packet collection unit 410 collects packets transmitted while the abnormal behavior detection system is operated to detect an abnormal behavior occurring in the industrial control network.

The whitelist checking unit 420 performs filtering using a whitelist stored in the whitelist database 310 for a plurality of packets collected by the inspection packet collecting unit 410. That is, it is determined whether each of the plurality of packets conforms to the rule specified by the white list. The normal packets are transmitted to the common preprocessing unit 210 of the preprocessing unit 200, and the packets determined to be abnormal are transmitted to the whitelist updating unit 430 send.

The whitelist update unit 430 is configured to update the whitelist stored in the whitelist database 310. The whitelist update unit 430 receives the packets determined to be abnormal by the whitelist checking unit 420 and sets a whitelist rule to be newly added Or not. As described above, the whitelist is a list defining rules for normal packets, and the abnormal behavior detection system that detects an abnormal packet using the whitelist determines packets that do not correspond to the rule of the preset white list as abnormal packets . However, as with most other networks, industrial control networks can also use unused packets by designating them in accordance with the utilization of industrial control systems. In this case, you need to add the rule for the newly specified packet to the whitelist.

Accordingly, the whitelist update unit 430 receives the packets that are determined to be abnormal by the whitelist checking unit 420 and newly acquires the packet rules in the same manner as the whitelist generating unit 130. Then, it is determined whether the newly obtained packet rule is normally included in the white list. If the rule is normal, the packet rule is transmitted to the white list database 310 to update the white list. Here, whether or not the obtained packet rule is normal can be displayed to the user and the packet rule can be determined to be normal when the user's approval is granted.

The inspecting unit 440 receives the pre-processed and separated packets in the preprocessing unit 200 and compares the packets with the normal behavior information stored in the inspection database 320 in units of individual packets, packet patterns, and traffic. As a result of comparison, anomalies are calculated in units of individual packets, packet patterns, and traffic units. Where the anomalies can be computed numerically.

The abnormal behavior determiner 450 determines whether an abnormal behavior has occurred by using the abnormality calculated in individual packet units, packet patterns, and traffic units as the comparison result in the inspection unit 440. [ If it is determined that an abnormal behavior has occurred, a warning can be output to the user through the HMI shown in FIG. If the database unit 300 is provided with a log database, abnormal behavior information is stored in the log database.

2, the learning packet collecting unit 110 and the inspection packet collecting unit 410 are separately shown. However, since the learning packet collecting unit 110 and the inspection packet collecting unit 410 differ only at the time of collecting packets, Collecting unit. 2, the preprocessor 200 is separately provided to preprocess packets applied to both the packet learning unit 100 and the packet inspection unit 400. However, in some cases, the packet learning unit 100 and the packets The preprocessing unit 200 may be separately included in each of the inspection units 400.

3 shows a detailed configuration example of the parallel preprocessing unit of FIG.

3, the parallel preprocessing unit 220 includes an individual packet preprocessing unit 221, a packet preprocessing unit 220, and a preprocessing unit 220. The parallel preprocessing unit 220 includes an individual packet preprocessor 221, A pattern preprocessing unit 222, and a traffic preprocessing unit 223.

The individual packet preprocessing unit 221 includes a flow / protocol field selection unit 2211 and an individual packet normalization unit 2212 to divide a plurality of packets classified by the common pre-processing unit 210 into flow / protocol units , Field selection and normalization of the packet.

The packet pattern preprocessing unit 222 includes a node / protocol field selection unit 2221 and a packet pattern detection unit 2222. The packet pattern preprocessing unit 222 receives a plurality of packets classified by the common preprocessing unit 210, And performs packet field selection and normalization. Here, the packet pattern detector 2222 extracts packet patterns from a plurality of received packets using a pattern search algorithm to be described later.

The traffic preprocessing unit 223 includes a traffic calculation unit 2231 and a data set generation unit 2232. The traffic preprocessing unit 223 includes a traffic pre- Calculate the number of packets, the average packet size, and the number of packets per protocol, and create a dataset.

FIG. 4 shows an embodiment in which the packet pattern preprocessing unit of FIG. 3 extracts a packet pattern, and a method of extracting a packet pattern in an industrial control network in which four kinds of packets are transmitted is shown in a simple example. Industrial control networks are not only limited in the types of packets, but also have a high frequency of repetitive and regular transmission of packets. Particularly, when analyzing packets transmitted between two nodes (for example, two IEDs in FIG. 1) in an industrial control network, the packet pattern is generally repeated cyclically in a very simple form.

For example, if the packets of the MMS protocol and the GOOSE protocol, which are mainly used in the IEC 61850 of the substation network shown in FIG. 1, are classified based on characteristics such as a message type, a function type, and an object type, .

MMS Packet GOOSE Packet The Number of Feature 4 3 Features TPKT Length
MMS PDU Type
MMS Service Type
IEC 61850 Object Name GOOSE Message Length
gocbRef
Number of Data Set Entries

Therefore, in order to retrieve the pattern of the simple repetitive pattern, the packet pattern preprocessing unit 222 first sets the i-th packet as an arbitrary packet to the pattern search start position (p = i). Then, the pattern length (n) is sequentially incremented from 2 to 1 from the packet at the start position, and a repetitive pattern is searched.

In this case, as in the case 1, the entire repeating pattern may be searched immediately. However, as in the case 2 (case 2), the partial repeating pattern exists in the entire repeating pattern, It can happen.

Accordingly, in the present invention, when a repeat pattern is found, the repeat pattern is searched again from the next packet (i + 1) following the start position packet to determine whether the previously found pattern is a partial repeat pattern. That is, the length of the previously found pattern matches the length of the pattern found from the packet (i + 1) following the start position packet.

If the lengths of the searched patterns do not coincide with each other, it is determined that the pattern is a partial repeat pattern, and the pattern is searched from the packet at the start position until the repeat pattern is searched again. In this case as well, it is possible to re-search the next packet (i + 1) following the start position packet to determine whether the searched repeated pattern is a partial repeat pattern to obtain the entire repeat pattern. That is, the pattern can be repeatedly searched until the length of the found pattern matches the length of the pattern that is searched from the packet (i + 1) following the start position packet.

Fig. 5 shows a detailed configuration example of the learning model generation unit, the inspection database and the inspection unit of Fig.

Similar to the parallel preprocessing unit 220 of FIG. 3, the learning model generation unit 140, the inspection database 320, and the inspection unit 440 in FIG. 5 each have three components. First, the learning model generation unit 140 includes an individual packet learning unit 141, a pattern library generation unit 142, and a traffic learning unit 143.

The individual packet learning unit 141 receives a plurality of individual packets that have been preprocessed from the individual packet preprocessing unit 221 of the parallel preprocessing unit 220. In order to acquire the normal behavior information on the received individual packets, each individual packet is grouped by applying an EM (Expectation Maximization) algorithm, and each of the at least one group generated by the grouping is subjected to OCSVM (One-class SVM) algorithm And transmits the individual packet model to the individual packet model storage unit 321 of the inspection database 320. [

The pattern library generation unit 142 generates a pattern library of the characteristics and the frequency of the packet pattern extracted and preprocessed from the packet pattern preprocessing unit 222. The generated pattern library is transferred to the pattern library storage unit 322 of the inspection database 320.

The traffic learning unit 143 groups each data set of the predetermined time unit applied by the traffic preprocessing unit 223 by applying the EM algorithm and generates the traffic model using the OCSVM algorithm. The generated traffic model is transmitted to the traffic model storage unit 323 of the inspection database 320.

The inspection database 320 includes an individual packet model storage unit 321, a pattern library storage unit 322 and a traffic model storage unit 323. Each of the individual packet learning unit 141 of the learning model generation unit 140, At least one individual packet model, at least one pattern library, and at least one traffic model from the pattern library generation unit 142 and the traffic learning unit 143,

The inspection unit 440 includes an individual packet inspection unit 441, a packet pattern inspection unit 442, and a traffic inspection unit 443. The individual packet inspecting unit 441 compares the individual packets applied by the individual packet preprocessing unit 221 with the individual packet models stored in the individual packet model storage unit 321 and analyzes the differences from the most similar individual packet models. For example, the individual packet checker 441 can derive the distance between the received individual packet and the individual packet model having the shortest hyper-vector distance as an individual packet abnormal score.

The packet pattern checking unit 442 compares the packet pattern applied by the packet pattern preprocessing unit 222 with at least one pattern library stored in the pattern library storage unit 322 and stores the packet pattern with at least one pattern library Analyze the pattern difference. For example, if the new pattern is 10 points and the frequency is less than 10% of the total frequency, then the total frequency / (frequency * 10) and the minimum value of 10 can be derived as the pattern abnormal score.

The traffic checking unit 443 analyzes the difference between the data set applied from the traffic preprocessing unit 223 and the most similar traffic model among at least one traffic model stored in the traffic model storing unit 323. [ Like the individual packet inspecting unit 441, the traffic inspecting unit 443 can derive the distance between the received data set and the traffic model having the shortest hyper vector distance as a traffic abnormal score.

Then, the derived individual packet abnormal score, pattern abnormal score, and traffic abnormal score are transmitted to the abnormal behavior determiner 450 to determine whether an abnormal behavior has occurred or not. The pattern abnormality, and the traffic abnormality are transmitted in numerical values as individual packet abnormality scores, pattern abnormality scores, and traffic abnormality scores, respectively, Score can be combined in a predetermined manner to derive the final abnormal score. And determines whether an abnormal behavior has been detected based on whether the final abnormal score is greater than or equal to a preset reference value.

FIG. 6 illustrates an abnormal behavior detection method according to an embodiment of the present invention.

Referring to FIGS. 2 to 5 and describing the abnormal behavior detection method of FIG. 6, the priority learning packet collection unit 110 collects various packets transmitted in the industrial control network as learning packets during the normal packet learning period (S110 ). Then, the packet verification unit 120 checks the collected packets by checking the pre-set method of the packets collected by the learning packet collection unit 110 (S120). At this time, if it is determined that the collected packet is not a normal packet, the packet verification unit 120 may request the learning packet collection unit 110 to collect the packet again.

The packets verified by the packet verifying unit 120 are analyzed by the white list generating unit 130 for the characteristics of the normal packets. The white list generating unit 130 generates a white list based on the analyzed characteristics, (Step S130). Meanwhile, the packet verification unit 120 transmits the verified packet to the whitelist generation unit 130 and the common pre-processing unit 210. The common pre-processing unit 210 analyzes and classifies a plurality of packets received independently from the whitelist generating unit 130 in a flow / protocol unit, and transmits the packets to the parallel preprocessing unit 220 (S140).

The individual packet preprocessing unit 221, the packet pattern preprocessing unit 222, and the traffic preprocessing unit 223 of the parallel preprocessing unit 220 individually receive the packets analyzed and classified by the common preprocessing unit, The pre-processing is performed in the method. The individual packet preprocessor 221 divides the plurality of packets classified by the common preprocessing unit 210 into flow / protocol units, and performs field selection and normalization of the packets (S150). The packet pattern preprocessing unit 222 receives a plurality of packets, divides them into individual node / protocol units, performs packet field selection and normalization operations, and extracts packet patterns (S160). The traffic preprocessing unit 223 calculates the number of packets, the average packet size, and the number of packets per protocol for each predetermined time unit so as to analyze traffic characteristics of the entire network unit (S170).

The individual packet learning unit 141 of the learning model generation unit 140 receives a plurality of individual packets that have been preprocessed from the individual packet preprocessing unit 221 and groups each of the individual packets and generates each of the grouped at least one individual packet group Into at least one individual packet model and stores it in the individual packet model storage unit 321 (S180).

The pattern library generation unit 142 generates a pattern library and stores the characteristics and the frequency of the packet pattern extracted by the packet pattern preprocessing unit 222 in the pattern library storage unit 322 (S190).

The traffic learning unit 143 groups each data set of a predetermined time unit applied by the traffic preprocessing unit 223, generates each of the grouped at least one data set as at least one traffic model, 323 (S200).

When the individual packet model, the pattern library, and the traffic model are stored, it is determined whether the normal packet learning period is terminated (S210). If the learning period has not ended, the learning packet is collected again (S110).

However, if the learning period is terminated, abnormal behavior is detected from the packets transmitted in the industrial control network using the stored white list, individual packet model, pattern library, and traffic model (S300).

Then, it is determined whether an abnormal behavior is detected (S410). If an abnormal behavior is detected, an abnormal behavior detection warning is output (S420). However, if the abnormal behavior is not detected, the abnormal behavior is detected again (S300). As described above, since industrial control systems generally place importance on non-stop availability, abnormal behavior detection is performed continuously.

From the collecting of the learning packet (S110) to the step 210 of determining whether the learning period is ended, it can be classified into a normal action learning step, a step of outputting an abnormal behavior detection alert from the abnormal behavior detection step (S300) S420) can be classified into a network inspection step.

FIG. 7 is a detailed view illustrating an abnormal behavior detection step of FIG. 6. FIG.

Referring to FIG. 7, in the abnormal behavior detection step S300, the inspection packet collection unit 410 collects inspection packets transmitted from the industrial control network (S310). The whitelist checking unit 420 inspects a plurality of packets collected by the inspection packet collecting unit 410 using a whitelist stored in the whitelist database 310. The whitelist checking unit 420 transmits normal packets to the common pre-processing unit 210 of the preprocessing unit 200. At this time, the whitelist checking unit 420 may transmit the packets determined to be abnormal to the whitelist updating unit 430 so that the packets can be used for updating the whitelist.

In the abnormal behavior detection step S300, the common pre-processing unit 210 analyzes and classifies a plurality of packets received from the whitelist checking unit 420 in a flow / protocol unit, and transmits them to the parallel preprocessing unit 220 (S340) .

The individual packet preprocessing unit 221, the packet pattern preprocessing unit 222 and the traffic preprocessing unit 223 of the parallel preprocessing unit 220 individually receive the packets analyzed and classified by the common preprocessing unit, Preprocessing is performed in a designated manner (S340, S350, S360).

That is, in the abnormal behavior detection step S300, the common pre-processing unit 210 and the parallel preprocessing unit 220 perform the same operations as the normal behavior learning step.

The individual packet inspecting unit 441 compares the individual packets applied by the individual packet preprocessing unit 221 with the individual packet models stored in the individual packet model storage unit 321, (S370). The packet pattern checking unit 442 compares the packet pattern applied by the packet pattern preprocessing unit 222 with the pattern and frequency of at least one pattern library stored in the pattern library storage unit 322 to check the abnormality of the packet pattern (S380). The traffic checking unit 443 compares the data set applied from the traffic preprocessing unit 223 with at least one traffic model stored in the traffic model storing unit 323 to check the traffic abnormality (S390). Here, the abnormality of individual packets, the abnormality of the packet pattern, and the traffic abnormality can be calculated as numerical scores.

Thereafter, the abnormal behavior determiner 450 receives the abnormality of each packet, the abnormality of the packet pattern, and the traffic abnormality, and combines the abnormal abnormalities in a peaked manner to derive a final abnormal score. If the final abnormal score is greater than a predetermined reference value It is determined whether an abnormal behavior has been detected (S400).

The method according to the present invention can be implemented as a computer-readable code on a computer-readable recording medium. A computer-readable recording medium includes all kinds of recording apparatuses in which data that can be read by a computer system is stored. Examples of the recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like, and a carrier wave (for example, transmission via the Internet). The computer-readable recording medium may also be distributed over a networked computer system so that computer readable code can be stored and executed in a distributed manner.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art.

Accordingly, the true scope of the present invention should be determined by the technical idea of the appended claims.

Claims (23)

Collecting packets transmitted in an industrial control network for a designated normal action learning period, and after normal packet verification for the collected packets, based on a verified normal packet, a white list and at least one individual packet model, A packet learning unit for acquiring a pattern library and at least one traffic model;
A database unit for storing the white list obtained by the packet learning unit, the at least one individual packet model, the at least one pattern library, and the at least one traffic model;
Collecting the packets transmitted from the industrial control network after the normal learning learning period and transmitting the collected packets to the white list, the at least one individual packet model, the at least one pattern library, A packet inspection unit for detecting an abnormal behavior on an industrial control network by comparing with at least one traffic model;
A common pre-processing unit for receiving and analyzing the packets from the packet learning unit and the packet checking unit in flow / protocol units;
Preprocessing the packets classified by the common pre-processing unit in three predetermined ways to correspond to each of the at least one individual packet model, the at least one pattern library, and the at least one traffic model, And a parallel preprocessing unit for transmitting the packet to the packet checking unit. Lt; / RTI >
The parallel pre-
An individual packet preprocessor for dividing the packets classified and applied by the common preprocessor into flow / protocol units and selecting and normalizing the fields of the packets;
A packet pattern preprocessing unit for dividing the packets classified and applied by the common pre-processing unit into individual nodes and protocol units, and extracting a packet pattern from the received packets using a predetermined pattern search algorithm; And
A packet average size and a number of packets per protocol so as to analyze the traffic characteristics of the industrial control network from the packets classified and applied by the common pre-processing unit, A preprocessing unit; Wherein the abnormal behavior detection system comprises: delete delete 2. The apparatus of claim 1, wherein the packet pattern preprocessing unit
Searching for a repetition pattern of the packets while setting an arbitrary i-th packet among the packets as a pattern search start position and sequentially incrementing a pattern length n from 2 at a pattern search start position by 1 from 2, Wherein when the repeat pattern is found, the repeat pattern is searched again from the next packet after the start position packet to determine whether the previously found pattern is a partial repeat pattern. 2. The apparatus of claim 1, wherein the packet learning unit
A learning packet collecting unit collecting the packets transmitted in the industrial control network as learning packets during the normal activity learning period;
A packet verifying unit for inspecting the learning packets collected by the learning packet collecting unit to determine whether the packet is a learning packet acquired in a normal environment of the industrial control network;
A whitelist generating unit for analyzing the learning packets verified by the packet verifying unit to obtain a rule for a normal packet, generating the whitelist from the obtained rules, and storing the generated whitelist in the database unit; And
The at least one individual packet model, the at least one pattern library, and the at least one traffic model by learning the packets preprocessed by the parallel preprocessing unit in individual packet units, packet patterns, and traffic units, A learning model generation unit for storing the learning model; Wherein the abnormal behavior detection system comprises: 6. The apparatus of claim 5, wherein the packet verifying unit
Wherein at least one of the number of error messages, the number of collision frames, the number of retransmitted packets, the number of mal-formed packets, and the number of abnormal packets is calculated in the learning packets, And requests the learning packet collecting unit to collect the learning packet again if the ratio of the packet to the packet is greater than a predetermined ratio. 6. The apparatus of claim 5, wherein the learning model generation unit
A plurality of individual packets preprocessed from the individual packet preprocessing unit, grouping the received individual packets by applying an EM (Expectation Maximization) algorithm, and transmitting each group of at least one individual packet group generated by the grouping to OCSVM An individual packet learning unit for generating the individual packet model through a one-class SVM algorithm;
A pattern library generation unit for generating characteristics and frequency of the packet pattern extracted and extracted from the packet pattern preprocessing unit as the at least one pattern library; And
A traffic learning unit for grouping the data sets of a predetermined time unit applied by the traffic preprocessing unit by applying the EM algorithm and generating the at least one traffic model using the OCSVM algorithm; Wherein the abnormal behavior detection system comprises: 8. The apparatus of claim 7, wherein the packet inspection unit
An inspection packet collecting unit for collecting the packets transmitted from the industrial control network after the normal learning learning period;
A whitelist checking unit which inspects the packets collected by the inspection packet collecting unit using the white list stored in the database unit and transmits normal packets to the preprocessing unit;
An inspection unit for comparing the packets preprocessed by the parallel preprocessing unit with the at least one individual packet model stored in the database unit, the at least one pattern library, and the at least one traffic model to check an abnormality; And
An abnormal behavior discrimination unit for discriminating whether an abnormal behavior has occurred on the industrial control network according to the abnormality; Wherein the abnormal behavior detection system comprises: The apparatus of claim 8, wherein the checking unit
An individual packet checking unit for comparing the individual packet applied by the individual packet preprocessing unit with the at least one individual packet model stored in the database unit and calculating a difference from the most similar individual packet model as an individual packet abnormality;
Processing unit for comparing the packet pattern applied by the packet pattern preprocessing unit with the pattern and the frequency of the at least one pattern library stored in the database unit, and calculating a pattern difference between the at least one pattern library and the previously stored pattern library, A pattern checking unit; And
A traffic checker for calculating the difference between the data set received from the traffic preprocessing unit and the most similar traffic model among at least one traffic model stored in the traffic model storage unit, Wherein the abnormal behavior detection system comprises: The apparatus of claim 9, wherein the abnormal behavior determiner
The packet abnormality, and the traffic abnormality are calculated and calculated in a predetermined manner to calculate a final abnormal score, and when the final abnormality is equal to or greater than the preset reference value, the abnormal behavior is determined to have been detected The abnormal behavior detection system comprising: 9. The apparatus of claim 8, wherein the packet inspection unit
A whitelist updating unit for receiving and analyzing the packets determined to be abnormal by the whitelist checking unit, determining whether to include the packets in the whitelist stored in the database unit, and updating the whitelist; Wherein the abnormal behavior detection system further comprises: 10. The apparatus of claim 9, wherein the database unit
A white list database for receiving and storing the white list generated by the white list generating unit and providing the stored white list to the white list checking unit; And
The at least one individual packet model, the at least one pattern library, and the at least one traffic model generated by the learning model generation unit, and storing the at least one individual packet model, the at least one pattern library, An inspection database for providing at least one traffic model to the inspection unit; Wherein the abnormal behavior detection system comprises: A method for detecting abnormal behavior in an abnormal behavior detection system including a packet learning unit, a database unit, a packet inspection unit, and a preprocessor,
Wherein the packet learning unit collects packets transmitted in an industrial control network for a predetermined normal action learning period, and after a normal packet verification for the collected packets, generates a white list and at least one individual packet model Acquiring at least one pattern library and at least one traffic model, and storing the at least one traffic model in the database unit; And
Wherein the packet inspection unit collects the packets transmitted in the industrial control network after the normal behavior learning period and transmits the collected packets to the white list and the at least one individual packet model stored in the database unit, A network inspection step of detecting an abnormal behavior on an industrial control network in comparison with a pattern library and the at least one traffic model; Lt; / RTI >
The normal action learning step
The packet learning unit collecting packets transmitted in an industrial control network during the normal behavior learning period;
Inspecting the packets collected by the packet learning unit to determine whether they are packets obtained in a normal environment of the industrial control network;
Analyzing packets to acquire rules for a normal packet, generating the whitelist from the obtained rules, and storing the generated whitelist in the database unit if it is determined that the packets are acquired in the normal environment;
Analyzing and classifying the packets determined as being acquired in the normal environment from the packet learning unit in a flow / protocol unit;
An individual packet preprocessing step of dividing the packets classified by the preprocessing unit into flow / protocol units and selecting and normalizing the fields of the packets;
A preprocessing step of dividing the packets classified by the preprocessing unit into individual nodes and protocol units and extracting a packet pattern from the received packets using a predetermined pattern search algorithm;
A preprocessing step of generating a data set by calculating a packet number, a packet average size, and a number of packets per protocol in units of a predetermined time so as to analyze a traffic characteristic of the industrial control network from the packets classified by the preprocessor; And
Wherein the packet learning unit receives the preprocessed packets and learns them in individual packet units, packet patterns and traffic units to obtain the at least one individual packet model, the at least one pattern library, and the at least one traffic model, ; And detecting the abnormal behavior. delete delete delete 14. The method of claim 13, wherein the packet pattern preprocessing step
Setting an arbitrary i-th packet among the packets as a pattern search start position;
Searching for a repetition pattern of the packets sequentially increasing the pattern length (n) from 2 to 1 at the pattern search start position; And
If the repeat pattern is found, searching for the repeat pattern again from the packet following the start position packet to determine whether the previously found pattern is a partial repeat pattern; And detecting the abnormal behavior. 14. The method of claim 13, wherein the obtaining and storing the at least one traffic model in the database comprises:
A plurality of the individual packets preprocessed in the individual packet preprocessing step, grouping each of the individual packets received by applying an EM (Expectation Maximization) algorithm, and transmitting each group of at least one individual packet group generated by the grouping to OCSVM One-class SVM) algorithm;
Generating a characteristic and a frequency of the packet pattern extracted and extracted in the packet pattern preprocessing step as the at least one pattern library; And
Grouping the data sets obtained in the traffic preprocessing step by applying the EM algorithm and generating the at least one traffic model using the OCSVM algorithm; And detecting the abnormal behavior. 14. The method of claim 13,
Collecting the packets transmitted in the industrial control network after the normal behavior learning period;
Inspecting the collected packets using the whitelist stored in the database unit;
Receiving the packets inspected using the whitelist, and preprocessing the packets in a predetermined manner;
Comparing the preprocessed packets with the at least one individual packet model stored in the database unit, the at least one pattern library, and the at least one traffic model to check for anomalies; And
Determining whether an abnormal behavior has occurred on the industrial control network according to the abnormality; And detecting the abnormal behavior. 20. The method of claim 19, wherein the pre-
Analyzing and classifying the packets in a flow / protocol unit by receiving the packets from the packet checking unit; And
Preprocessing the classified packets in three predetermined ways so as to correspond to each of the at least one individual packet model, the at least one pattern library, and the at least one traffic model, and transmitting the packets to the packet checking unit; And detecting the abnormal behavior. The method of claim 20, wherein the step of transmitting to the packet checking unit
An individual packet preprocessing step of dividing the packets into flow / protocol units and selecting and normalizing the fields of the packets;
A packet pattern preprocessing step of dividing the packets into individual nodes and protocol units and extracting a packet pattern from the received packets using a predetermined pattern search algorithm; And
A traffic preprocessing step of generating a data set by calculating a packet number, a packet average size, and a number of packets per protocol in units of a predetermined time so as to analyze a traffic characteristic of the industrial control network from the packets; And detecting the abnormal behavior. 22. The method of claim 21, wherein the step of checking for abnormalities comprises:
Comparing the individual packet with the at least one individual packet model stored in the database section to calculate a difference from the most similar individual packet model as a separate packet abnormality;
Comparing the packet pattern with a pattern and a frequency of the at least one pattern library stored in the database unit, and calculating a pattern difference between the at least one pattern library and the previously stored pattern library; And
Calculating the difference between the data set and the most similar traffic model among at least one traffic model stored in the traffic model storage unit as a traffic abnormality; And detecting the abnormal behavior. 23. The method of claim 22, wherein the step of determining whether the abnormal behavior has occurred
Receiving the quantified individual packet abnormality, the packet pattern abnormality, and the traffic abnormality, and calculating the final abnormality score by a predetermined method; And
Determining that the abnormal behavior is detected if the final abnormal state is equal to or greater than a preset reference value; And detecting the abnormal behavior.

Images