WO2020063188A1

WO2020063188A1 - Industrial scada system-based deep packet inspection platform

Info

Publication number: WO2020063188A1
Application number: PCT/CN2019/101244
Authority: WO
Inventors: 程鹏; 张镇勇; 郭伟; 汪京培; 陈积明; 王文海; 孙优贤
Original assignee: 浙江大学
Priority date: 2018-09-30
Filing date: 2019-08-18
Publication date: 2020-04-02
Also published as: CN109167796A; CN109167796B

Abstract

Disclosed is an industrial SCADA system-based deep packet inspection platform. The inspection platform is capable of inspecting the system state for the common protocol environment of Modbus/Tcp and IEC 60870-5-104 of an electric power system, and comprises an industrial SCADA system simulation platform, a deep packet parsing module, an abnormality detection module, and an intrusion module. The inspection platform simulates the normal network data stream in the electric power system on the basis of a typical cyclic polling interaction mode in the SCADA system, detects the system exception state, and performs comprehensive simulation on the corresponding network data stream by means of protocol vulnerability analysis and packet mutation.Feature analysis and extraction is performed on packet field information, and a system state model is created by a machine learning method so as to comprehensively and deeply detect the system state.

Description

Deep packet inspection platform based on industrial SCADA system

Technical field

The invention relates to the field of industrial control systems, in particular to a protocol analysis and anomaly detection in a communication environment of an industrial SCADA system, constructing a positive / abnormal data set based on a protocol format and a vulnerability, and detecting a system state by a machine learning method Platform.

Background technique

The industrial control system is a business process management and control system that is composed of various automation control components and process control components that collect and monitor real-time data to ensure the automatic operation, process control and monitoring of industrial technical facilities. Its core components include data collection and The monitoring system (SCADA), distributed control system (DCS), programmable logic controller (PLC), remote terminal (RTU), intelligent electronic equipment (IED), and interface technologies to ensure communication between various components have been used in China's petrochemical, power, It is widely used in buildings, transportation, medical treatment, metallurgy and other fields.

With the rapid development of information technology and the continuous advancement of industrialization, intelligent production that is closely integrated with informationization and industrialization has become a development trend. The remote communication needs of industrial control systems have gradually increased. Various industrial control protocols based on system characteristics have also gradually been applied. Extensive, and most industrial control systems, when designing most protocols, more consideration will be given to the impact on the system availability and real-time communication during the protocol communication process, relatively ignoring the authenticity and confidentiality of the data during the protocol communication process, lacking integrity Reliable verification mechanism and encryption methods, which leads to intruders who have certain knowledge of the communication protocol of the target system, can modify or construct specific messages to achieve "normal" communication with the PLC, thereby stealing information or sending control Instructions, targeted damage to the target system. In recent years, APT (Advanced Persistent Threat) attacks have occurred frequently in the field of industrial control security: Stuxnet worm invaded the Iranian Bushehr nuclear power plant in 10 years, causing 20% of the centrifuges to be scrapped, which significantly delayed the implementation of the Iranian nuclear power plan; 11 years Duqu Trojan, Flame virus in 12 years, Havex virus in 14 years to steal information and damage the system; Ukraine ’s power grid was attacked by the BlackEnergy virus in 15 years, 60 substations were attacked, causing 1.4 million customers to lose power; these incidents showed industrial control equipment in the power system The wide range of applications and their importance, so it is particularly important to perform protocol analysis and anomaly detection on their commonly used industrial control protocols for power system scenarios.

Industrial control protocols commonly used in power system scenarios include Modbus / Tcp and IEC 60870-5-104. Modbus / Tcp is the most widely used protocol in the field of industrial control. In addition to power systems, it is also widely used in chemical and water treatment fields. The protocol uses Ethernet general network components. With the help of the TCP / IP protocol in the information industry, it provides users with an open, flexible and standard communication technology. The power system dispatch automation protocol IEC60870-5-104 uses balanced transmission, which is better. It solves the problem of transmission delay between the master station and the remote substation in the power automation system, and has good reliability, stability and transmission efficiency. Aiming at these industrial control protocols and their application scenarios, the network communication architecture of the SCADA system generally has a three-layer structure. From low to high, they are the field control layer, the process monitoring layer, and the enterprise management layer. The network information is mainly concentrated on the field control layer and process monitoring. Layer, and the process monitoring layer is mostly a PC, and the database is vulnerable to tampering by intruders. Therefore, many related studies will obtain the true state of the system by analyzing the network data flow. Due to the special nature of the SCADA system, there are usually periodic polling The interaction mode and analysis of network data flow can also establish a normal state model of the system.

At present, according to the degree of analysis of network data streams, the use of analytical information and detection algorithms, deep packet inspection methods can be divided into the following three categories, which are black / white list rules based on single packet format and periodic polling Traffic model of model and prediction model based on variable semantics.

1) Black / white list rules based on single packet format

This type of deep packet detection method mostly uses Snort detection rule templates, analyzes the network data flow in the normal state of the system based on the format of specific protocols and field characteristics of the application layer, and deploys a black / white list according to the relevant knowledge of the protocol. Records are matched by rules, and packets that meet the blacklist rules or do not meet the whitelist rules are abnormally marked and alarmed. This type of detection method is often highly targeted, with a single application environment and poor generality.

2) Traffic model based on periodic polling mode

This type of deep packet inspection method is based on the typical interaction mode of the SCADA system. It analyzes the network data stream, extracts the function code and instruction information, etc., and forms the corresponding function code sequence and "event sequence". The discrete-time Marmar is established through a learning algorithm. Kuffan chain (DTMC) diagrams and finite state automata (DFA) models. This type of detection method mainly focuses on the operation and instruction information contained in the network data stream. It builds a model based on a small number of commonly used fields in the network data stream. It has limited use of application layer information and is difficult to respond to highly targeted APT attacks in specific protocol environments.

3) Prediction model based on variable semantics

This type of deep packet detection method analyzes the system status based on the variable information of the controlled object in the industrial control system included in the network data flow. It mainly uses register addresses and register values, analyzes the variable values transmitted during the communication process under the same node, and extracts the object during the process. Semantic information, and build a predictive model to reflect and detect the system's controlled process state information. This type of detection method involves a single field information and a relatively simple application environment. It can only detect the semantic changes of the controlled object, and cannot obtain the function and status information of the PLC. When the status information of the controlled process changes, most of the intruders have achieved Attack the target with a long detection delay.

For the implementation of the method of deep packet inspection in the field of industrial control, the key points are the feature analysis and extraction of network data flow and the construction of the system abnormal state data set. At present, the deep packet inspection methods used in most research work have high requirements on the application's target scenario and protocol environment. A small number of commonly used fields are analyzed on the network data stream or the existing field information is directly used as the data set. Information is directly used as the characteristics of the network data flow to establish a system state model. The information contained in the network data flow lacks a complete feature analysis and extraction, and can only have an ideal effect when the abnormal behavior involves the commonly used fields. In addition, most of the existing research works modify and destroy the system state through several known common attacks, and construct corresponding data sets. There is almost no work that can well simulate various abnormal states that may occur in the scene and detect the effect. Has certain limitations. The deep packet inspection used in the present invention analyzes, analyzes, and extracts features based on the original message payload to achieve complete, in-depth analysis and utilization of network data flow information. By analyzing the vulnerability of the protocol itself, a variant report is constructed based on the protocol format. This paper achieves the goal of modifying and destroying the system state through "normal" network data flow, thereby achieving a more comprehensive simulation of various abnormal states that may occur in the system. In the implementation mode, the functions of deep packet detection and abnormal state simulation are encapsulated, which is convenient for modification and expansion in different scenarios.

Summary of the Invention

The purpose of the present invention is to provide a complete and in-depth abnormal state simulation and deep packet detection platform in response to the shortcomings of the existing technology, so as to realize accurate detection of the state of industrial SCADA systems through network data flow.

The object of the present invention is achieved by the following technical solutions: a deep packet detection platform based on an industrial SCADA system, including: an industrial SCADA system simulation platform, a deep packet analysis module, an anomaly detection module, and an intrusion module;

The industrial SCADA system simulation platform is used to simulate the network architecture and interaction mode of the process monitoring layer and the field control layer in the power system. It can implement the complete protocol stack function of the Modbus / Tcp and IEC60870-5-104 protocols, without human intervention. The lower two layers of equipment maintain the interactive state of periodic polling, generate network data flow in the normal state of the system, and provide data sources and attack scenarios for the deep packet analysis module and the intrusion module, respectively;

The deep packet analysis module captures the original binary message and decodes it to fully obtain the system status information in the network data stream. It adds attribute tags to the message fields in combination with the protocol format, and completes the message analysis for the anomaly detection module, and provides the basic fields. information;

The anomaly detection module implements the feature analysis and extraction of basic field information. Based on the basic field information, an attribute set is established and the field information can be completed and classified based on a known protocol format to form complete field information. The corresponding object semantics are extracted from the corresponding statistical, behavioral and temporal features, and the features that reflect the object semantics are added, and the system state model is finally established;

The intrusion module designs attack methods based on the analysis of protocol vulnerability, constructs mutated messages to modify and destroy the system state, and achieves a comprehensive simulation of the abnormal state of the system.

Further, the industrial SCADA system simulation platform uses configuration software widely used in industrial control systems to simulate process monitoring layer equipment, PLC honeypots to simulate field control layer equipment, and simulates the target power system through the Simulink module in Matlab. OPC Toolbox interacts with the PLC.

Further, the protocol environment used by the industrial SCADA system simulation platform is Modbus / Tcp and IEC 60870-5-104, which supports various types of communication defined in the protocol, and has been encapsulated through docker to provide corresponding configuration modification interfaces for easy deployment and movement. .

Further, the deep packet analysis module adopts an offline analysis method for the captured network data stream, analyzes each bit information of the message, and realizes the acquisition of complete field information.

Further, the anomaly detection module calculates the field attributes existing in the communication process based on the field information obtained by the deep packet analysis module, establishes an attribute set, and completes the information of each record field according to the attribute set to realize the extraction of missing field features.

Further, the anomaly detection module analyzes the protocol format based on the characteristics of the protocol format in the power system environment, and uses the communication function field, the control function field, and the process variable field to classify the attribute set fields, and uses different fields for different fields. Use mode to extract system state features.

Further, the anomaly detection module extracts statistical characteristics (frequency, number of connections, etc.) of the communication function fields (mainly non-numeric type fields such as register address, information object address, and function code) within the window time.

Further, the anomaly detection module extracts behavior characteristics (mean, variance, etc.) within a window time from control function fields (mainly numerical type fields such as port information, APDU length, and the like that have no time series correlation).

Further, the anomaly detection module extracts time characteristics (prediction residuals, etc.) within a window time for a process variable field (mainly a value type field having a time series correlation relationship such as a register value).

Further, the anomaly detection module establishes a system positive / abnormal state model through a machine learning method after extracting features from each field separately.

Further, the intrusion module adopts a response mechanism of a complete protocol stack, constructs an attack message by mutating message fields, and implements modification and destruction of the target system state by bypassing the verification mechanism of the protocol itself.

Further, the intrusion module analyzes the vulnerability of the protocol based on the protocol format and the verification mechanism of the protocol itself, and obtains the protocol fields and corresponding modifiable ranges that can be modified under the normal communication requirements of the two parties in the agreement, which may lead to A comprehensive simulation of the abnormal state of the system is performed to build a complete and reliable abnormal state data set.

The beneficial effects of the present invention are:

1. This platform performs offline analysis and detection based on the network data flow. The integrity and authenticity of the information is good. There is no need to build a system platform to provide data sources. It is convenient for research work and detection method testing deployment. It has good flexibility and Realizable.

2. This platform provides a deep packet parsing module to completely and deeply decode the network data stream and convert it into intuitive field information, which is convenient for observing the status information and other related research during the system operation.

3. The anomaly detection module used in this platform is designed based on the typical characteristics of industrial control protocols, and has good applicability to industrial control systems in different scenarios and different protocols.

4. The function of the anomaly detection module in this platform is implemented step by step using multiple sub-modules, which encapsulates each part, and displays the results output, which is convenient for testing and at the same time convenient for optimization and expansion.

5. This platform provides submodules that implement attribute set construction and field information completion functions in the anomaly detection function, which can intuitively reflect the interaction mode in the system communication process, and provide interfaces for the same dimensional data for different modeling methods and detection algorithms. .

6. This platform uses different feature extraction methods for different types of field types, adds the dimension and depth of information used in the anomaly detection process, and can simply reflect the changes in the communication process when the system is under various attacks.

7. This platform provides an intrusion module, which encapsulates the protocol communication process, and provides a configuration interface for field mutation, which facilitates the construction and transmission of directional or random mutation messages, and generates test cases and positive / abnormal data sets.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a network architecture diagram of an industrial SCADA system environment and various modules in the present invention.

FIG. 2 is a flowchart of a specific implementation manner of a method for deep packet analysis and anomaly detection based on a network data stream according to the present invention.

detailed description

The present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.

The deep packet inspection platform of the industrial SCADA system provided by the present invention is mainly aimed at power system scenarios. The commonly used protocols of the system environment include Modbus / Tcp and IEC 60870-5-104 protocols. The detection platform consists of four parts: industrial SCADA system simulation platform, deep packet analysis module, anomaly detection module, and intrusion module. The detection platform realizes the key communication process in the field environment by simulating the typical interaction mode of the process monitoring layer and the field control layer in the industrial SCADA system. The main process of detection is that the deep packet parsing module captures the network data flow through the switch deployed between the two layers, and obtains the complete and true system status information during the communication process based on the deep packet parsing of the network data flow. Field information is used for feature analysis and extraction, and a system state model is established through machine learning to achieve the detection of the system state without affecting the system operation. At the same time, the intrusion module analyzes the vulnerability of the protocol completely, designs attack methods based on the protocol format, and comprehensively simulates the abnormal state of the system that may be caused during the communication process, thereby realizing the universality of the detection platform in different abnormal scenarios. Its overall network architecture is shown in Figure 1.

Industrial SCADA system simulation platform: build and simulate power system controlled objects through Matlab's simulink module, and use OPC Toolbox in simulink to interact with the PLC in real time, transfer process variable information of the power system to the PLC, and respond to control instructions from the PLC Provide process variable information of controlled objects in the system. The PLC and SCADA servers respectively implement the functions of the field control layer and the process monitoring layer in the power system. Specifically, they are constructed by using a docker-encapsulated PLC honeypot and an upper computer with industrial control system configuration software. PLC and RTU are deployed based on the docker environment. The conpot and FreyrSCADA programs implement Modbus / Tcp and IEC 60870-5-104 PLC basic request and response functions for the corresponding protocol during the establishment of the communication process. Each PLC honeypot is packaged in a docker container to simulate the power system. Each node function, for each node's PLC honeypot, according to the protocol standard and system requirements, configure its communication function, the number and type of registers or information objects, IP address, public address, information object address, and corresponding register or information object data , To achieve the protocol's message inspection and response function for specific targets in the field environment, to achieve a complete protocol stack function and system network architecture, without the intervention of the two layers of equipment to maintain the periodic polling interactive state, generating the system normal Network data flow in the state, which contains the functions, control information, and Process variable information.

Deep packet parsing module: captures the network data flow in the communication process through the switch between the process monitoring layer and the field control layer, and analyzes it offline. The Python program is used to parse the message field information hierarchically. Based on the OSI seven-layer model, it analyzes the application The key information such as the IP and port outside the layer is analyzed in full at the bit level of the application layer message to achieve a complete and in-depth analysis of the functions, control information and process variable information transmitted during the communication, and according to the protocol format Add attribute tags to each message field and build a basic field information data set.

Anomaly detection module: It consists of data pre-processing and model building sub-modules. The data pre-processing module completes basic field information. It is specifically implemented as statistical field attributes existing in the communication process, establishes attribute sets, and sets each attribute according to the protocol format. Add a default value, and complete the attributes that do not appear in each packet according to the default value, as the missing field feature, to obtain the field information containing the complete attribute. The field information is analyzed based on the protocol format of the network data flow, and the field information is classified by the correlation between the field information and the communication functions, control functions, and process variable information in the SCADA system, and the field data type, which will reflect the current function of the system equipment. Non-numeric field information is divided into communication function fields, numerical field information reflecting control instructions and response behavior of system equipment is divided into control function fields, and field information reflecting process variable values of system controlled objects is divided into process variable fields. Based on the analysis of various types of field information, the characteristics are analyzed. Communication function fields are usually string information and have certain statistical characteristics. Control function fields are usually numeric type fields with no time-series correlation and have certain behavior characteristics. Process variable fields are usually It is a numeric type field that has a time series correlation. It has certain time characteristics. Based on this, different types of feature extraction methods are used for each type of field, and feature fields such as frequency, number of connections, mean, variance, and prediction residual are added. The model building sub-module uses the Naive Bayes algorithm to build a system state model to achieve complete system state. In-depth inspection. The specific implementation process is shown in FIG. 2.

Intrusion module: The attack is based on the open source security vulnerability detection tool metasploit. The complete protocol stack response mechanism of Modbus / Tcp and IEC 60870-5-104 protocols is implemented through the .rb file, which can simulate the communication between the SCADA server and the PLC to the target PLC. Send instructions, request information, and automatically complete responses for subsequent interactions. Analyze the vulnerability of the protocol through the protocol format and the verification mechanism of the protocol, obtain the protocol fields and corresponding modifiable ranges that can be modified under the normal communication requirements of the two parties, design the attack method and configure the interface, specifically the originator address, common address Addresses of variable fields such as address, value (determined), value (indetermined), and QOS (IV, NT). By configuring message fields, you can construct and send directional or randomly mutated messages, and modify and destroy the system state. Achieve comprehensive simulation of system abnormal conditions.

The detection process of the deep packet inspection platform based on the industrial SCADA system of the present invention is: the industrial SCADA system simulation platform simulates the communication process of the power system scene, and generates normal information including process monitoring layer, field control layer functions, control information, and controlled object process variable information. Network data flow. The intrusion module sends mutation messages to modify and destroy the system state. The deep packet analysis module analyzes the network data stream to obtain basic field information. The anomaly detection module analyzes and extracts the basic field information, and builds the system state through machine learning methods. model.

The above embodiments are used to explain the present invention, but not to limit the present invention. Any modification and change made to the present invention within the spirit of the present invention and the protection scope of the claims falls within the protection scope of the present invention.

Claims

A deep packet inspection platform based on an industrial SCADA system, characterized in that it includes an industrial SCADA system simulation platform that simulates a power system, a deep packet analysis module, an anomaly detection module, and an intrusion module;

The industrial SCADA system simulation platform is used to simulate the typical interaction mode between the process monitoring layer and the field control layer of the power system. It can implement the complete protocol stack functions of Modbus / Tcp and IEC 60870-5-104, and receive and respond to attack messages from invading modules. To generate a network data stream;

The deep packet analysis module captures the network data stream for offline analysis, performs hierarchical analysis on the network data stream, and obtains the basic field information of the application layer completely;

The anomaly detection module constructs an attribute set based on the basic field information of all messages, completes the attributes of a single message through the attribute set to form complete field information, classifies each field information according to the semantics of each field information, and performs different types of fields separately Feature analysis and extraction, adding feature fields to achieve in-depth analysis of object semantic information in the network data stream, and establish a system state model through machine learning methods;

The intrusion module designs attack methods based on the vulnerability of the protocol, sends attack packets to modify and destroy the system state, and simulates the abnormal state of the system.
The deep packet inspection platform based on the industrial SCADA system according to claim 1, wherein the industrial SCADA system simulation platform simulates a power system through Simulink in Matlab, and simultaneously configures the cycle with multiple PLCs and RTUs through configuration software. Polling simulates the communication process of the Modbus / Tcp and IEC60870-5-104 protocols in the field environment. The PLC and RTU are deployed based on the docker environment. Modbus / Tcp and IEC60870-5-104 PLC honeypots are established through the conpot and FreyrSCADA programs. The basic request and response functions of the corresponding protocols are implemented, and each PLC honeypot is encapsulated in a docker container to simulate the functions of each node in the power system. For each node's PLC honeypot, the specific object parameter configuration is used to implement the protocol. In the field environment, the message inspection and response functions for specific targets realize the complete protocol stack function and system network architecture, thereby simulating the power system protocol scenario, interaction mode, and network scale.
The deep packet inspection platform based on the industrial SCADA system according to claim 1, wherein the deep packet parsing module performs a complete bit analysis of basic field information of a message application layer, and adds an attribute tag.
The deep packet inspection platform based on the industrial SCADA system according to claim 1, wherein the anomaly detection module constructs a corresponding protocol attribute set based on the basic field information of the analysis result, and completes the complete field to form a complete field to implement Use of missing features.
The deep packet inspection platform based on the industrial SCADA system according to claim 1, wherein the anomaly detection module analyzes field information based on a protocol format of a network data stream, and communicates with the SCADA system through each field information. Function, control function and process variable information and field data types to classify field information, divide non-numeric field information that reflects current functions of system equipment into communication function fields, and reflect numerical field information that reflects system equipment control instructions and response behavior It is divided into control function fields, and the field information reflecting the process variable value of the system controlled object is divided into process variable fields.
The deep packet inspection platform based on the industrial SCADA system according to claim 5, wherein the anomaly detection module mainly analyzes and extracts its statistical characteristics according to the semantic characteristics of the communication function field.
The deep packet inspection platform based on the industrial SCADA system according to claim 5, wherein the anomaly detection module mainly analyzes and extracts its behavior characteristics according to the semantic characteristics of the control function field.
The deep packet inspection platform based on the industrial SCADA system according to claim 5, characterized in that the anomaly detection module mainly analyzes and extracts its temporal characteristics according to the semantic characteristics of the process variable field.
The deep packet inspection platform based on the industrial SCADA system according to claim 1, wherein the anomaly detection module combines extraction of feature fields and complete field information after completion and constructs a system state by using a Naive Bayes algorithm model.
The deep packet inspection platform based on industrial SCADA system according to claim 1, characterized in that the intrusion module completely analyzes the vulnerability of the protocol and obtains the function code, originator address, common address, determined value, indetermined value , QOS field's impact on the system, and under the condition that the protocol constraints are met, the above fields are randomly mutated and a message is constructed and sent to perform a comprehensive simulation of the system's abnormal state.