基于R-DFA状态机的工控系统异常流量检测
|
摘要
针对以往工控系统异常流量检测系统无法检测上行信道异常的问题,提出以R-DFA为核心的工控异常流量检测方法,R-DFA是输入参数包含PLC向上位机的上行信道信息的有限自动机机。该方法首先建立工控信道的白名单,然后提取工控的正常流量特征,建立状态转换表,训练出R-DFA模型,又在状态机后添加周期状态序列,完善状态机中状态转化依赖于上一个状态的不足。实验结果表明,该方法的异常检测的准确率较高,也能够有效地检测上行信道流量的异常。
Aiming at the problem that the previous abnormal traffic detection system of the industrial control system could not detect the abnormality of the upstream channel.Proposes an abnormal traffic detection method based on R-DFA,R-DFA is a finite automaton with input parameters containing the upstream channel information of the PLC to the upper computer.This method firstly establishes the whitelist of industrial control channel,then extracts the normal flow characteristics of industrial control,establishes the state transition table,trains the RDFA model.To improve the state transition in the state machine depends on the deficiency of the previous state,adds periodic state sequence after the state machine adds periodic state sequence after the state machine.The experimental results show that the accuracy of the anomaly detection of this method is high,and it can also effectively detect the abnormality of the upstream channel traffic.
Aiming at the problem that the previous abnormal traffic detection system of the industrial control system could not detect the abnormality of the upstream channel.Proposes an abnormal traffic detection method based on R-DFA,R-DFA is a finite automaton with input parameters containing the upstream channel information of the PLC to the upper computer.This method firstly establishes the whitelist of industrial control channel,then extracts the normal flow characteristics of industrial control,establishes the state transition table,trains the RDFA model.To improve the state transition in the state machine depends on the deficiency of the previous state,adds periodic state sequence after the state machine adds periodic state sequence after the state machine.The experimental results show that the accuracy of the anomaly detection of this method is high,and it can also effectively detect the abnormality of the upstream channel traffic.
引文
[1]Goldenberg N,Wool A.Accurate Modeling of MODBUS/TCP for Intrusion Detection in SCADA Systems[J].International Journal of Critical Infrastructure Protection,2013,6(2):63-75.
[2]Kleinmann A,Wool A.Accurate Modeling of the Siemens S7 Scada Protocol for Intrusion Detection and Digital Forensics[J].Journal of Digital Forensics,Security and Law,2014,9(2):4.
[3]Zhang J,Gan S,Liu X,et al.Intrusion Detection in SCADA Systems by Traffic Periodicity and Telemetry Analysis[C].Computers and Communication(ISCC),2016 IEEE Symposium on.IEEE,2016:318-325.
[4]Xu J,Feng D.Identification of ICS Security Risks toward the Analysis of Packet Interaction Characteristics Using State Sequence Matching Based on SF-FSM[J].Security and Communication Networks,2017.
[5]Kleinmann A,Wool A.A Statechart-Based Anomaly Detection Model for Multi-Threaded SCADA Systems[C].International Conference on Critical Information Infrastructures Security.Springer,Cham,2015:132-144.
[6]Maglaras L A,Jiang J.Intrusion Detection in Scada Systems Using Machine Learning Techniques[C].Science and Information Conference(SAI),2014.IEEE,2014:626-631.
[7]Parvania M,Koutsandria G,Muthukumary V,et al.Hybrid Control Network Intrusion Detection Systems for Automated Power Distribution Systems[C].Dependable Systems and Networks(DSN),2014 44th Annual IEEE/IFIP International Conference on.IEEE,2014:774-779.
[8]Trifilo A,Burschka S,Biersack E.Traffic to Protocol Reverse Engineering[C].Computational Intelligence for Security and Defense Applications,2009.CISDA 2009.IEEE Symposium on.IEEE,2009:1-8.
[9]彭勇,向憧,张淼,等.工业控制系统场景指纹及异常检测[J].清华大学学报(自然科学版),2016,56(1):14-21.
[10]赖英旭,刘增辉,蔡晓田,等.工业控制系统入侵检测研究综述[J].通信学报,2017,38(2):143-156.
[11]何钢,周安民.西门子SCADA网络场景指纹自提取及异常检测[J].网络安全技术与应用,2017(3):165-167.
[12]程相.基于信息量的工控网络异常检测技术[J].计算机工程与设计,2018.
[13]杨安,孙利民,王小山,等.工业控制系统入侵检测技术综述[J].计算机研究与发展,2016,53(9):2039-2054.
[14]贾涛.西门子S7-200以太网通讯协议研究[J].电子技术与软件工程,2014(24):30-32.
[15]彭勇,江常青,谢丰,等.工业控制系统信息安全研究进展[J].清华大学学报:自然科学版,2012,52(10):1396-1408.
[2]Kleinmann A,Wool A.Accurate Modeling of the Siemens S7 Scada Protocol for Intrusion Detection and Digital Forensics[J].Journal of Digital Forensics,Security and Law,2014,9(2):4.
[3]Zhang J,Gan S,Liu X,et al.Intrusion Detection in SCADA Systems by Traffic Periodicity and Telemetry Analysis[C].Computers and Communication(ISCC),2016 IEEE Symposium on.IEEE,2016:318-325.
[4]Xu J,Feng D.Identification of ICS Security Risks toward the Analysis of Packet Interaction Characteristics Using State Sequence Matching Based on SF-FSM[J].Security and Communication Networks,2017.
[5]Kleinmann A,Wool A.A Statechart-Based Anomaly Detection Model for Multi-Threaded SCADA Systems[C].International Conference on Critical Information Infrastructures Security.Springer,Cham,2015:132-144.
[6]Maglaras L A,Jiang J.Intrusion Detection in Scada Systems Using Machine Learning Techniques[C].Science and Information Conference(SAI),2014.IEEE,2014:626-631.
[7]Parvania M,Koutsandria G,Muthukumary V,et al.Hybrid Control Network Intrusion Detection Systems for Automated Power Distribution Systems[C].Dependable Systems and Networks(DSN),2014 44th Annual IEEE/IFIP International Conference on.IEEE,2014:774-779.
[8]Trifilo A,Burschka S,Biersack E.Traffic to Protocol Reverse Engineering[C].Computational Intelligence for Security and Defense Applications,2009.CISDA 2009.IEEE Symposium on.IEEE,2009:1-8.
[9]彭勇,向憧,张淼,等.工业控制系统场景指纹及异常检测[J].清华大学学报(自然科学版),2016,56(1):14-21.
[10]赖英旭,刘增辉,蔡晓田,等.工业控制系统入侵检测研究综述[J].通信学报,2017,38(2):143-156.
[11]何钢,周安民.西门子SCADA网络场景指纹自提取及异常检测[J].网络安全技术与应用,2017(3):165-167.
[12]程相.基于信息量的工控网络异常检测技术[J].计算机工程与设计,2018.
[13]杨安,孙利民,王小山,等.工业控制系统入侵检测技术综述[J].计算机研究与发展,2016,53(9):2039-2054.
[14]贾涛.西门子S7-200以太网通讯协议研究[J].电子技术与软件工程,2014(24):30-32.
[15]彭勇,江常青,谢丰,等.工业控制系统信息安全研究进展[J].清华大学学报:自然科学版,2012,52(10):1396-1408.