基于网络流量异常监测的工业控制系统安全技术研究
Research on Security Technology of Industrial Control System Based on Network Traffic Abnormal Monitoring
摘要: 随着科技的发展,在智能自动化制造中工业控制系统逐渐被接入互联网,而当前互联网上存在着大量的攻击,直接影响着工业控制系统的安全,工控系统面临的安全形势也越来越严重。因此,工业控制系统与关键基础设施的网络安全受到高度的关注,为有效抵御恶意软件对工业控制系统的攻击,网络入侵检测系统是一个常用的措施,其分为两大主要的策略,一种策略是采用统计分析与机器学习的异常监测,另一种策略是采用攻击特征或规则进行比对的特征监测。本文提出一种监测工业控制系统网络出现的异常封包的技术,该技术的核心技术在于寻找TCP和UDP协议数据部分的规律性,并构造一个正常行为模型。通过工业控制系统网络内布置的蜜罐技术,系统模型还可以额外产出特征,协助过滤已知的攻击。该方法适用于建立在TCP与UDP之上的工业控制系统协议,并将检测模型嵌入到工业防火墙中,实现对Modbus/TCP与BACnet/IP异常报文检测。
Abstract: With the development of science and technology, industrial control systems are gradually con-nected to the Internet in intelligent automated manufacturing, and there are a large number of at-tacks on the Internet, which directly affect the safety of industrial control systems, and the security situation facing industrial control systems is becoming more and more serious. The network security of industrial control systems and critical infrastructure has been highly valued in recent years. In order to resist malicious software attacks against industrial control systems, network in-trusion detection systems are a commonly used method, which is divided into two main strategies. One kind of anomaly detection uses statistical analysis and machine learning, and the other is misuse detection that uses attack characteristics or rules to compare. A technology for detecting abnormal packets in the industrial control system network is proposed in this paper. The core concept of the technology is to find the regularity of the TCP and UDP protocol payloads, and con-struct a normal behavior model. Through the honeypot is arranged in the industrial control system network, the system model can also generate additional features to help filter known attacks. Our method is suitable for industrial control system protocols built on TCP and UDP, and the detection model is embedded in the industrial firewall to realize the detection of Modbus/TCP and BACnet/IP abnormal messages.
文章引用:徐友洪, 李剑萍, 吴宏良. 基于网络流量异常监测的工业控制系统安全技术研究[J]. 软件工程与应用, 2020, 9(6): 497-506. https://doi.org/10.12677/SEA.2020.96057

参考文献

[1] 尚文利, 杨路瑶, 陈春雨. 面向工业控制系统终端的轻量级组认证机制[J]. 信息与控制, 2019, 48(3): 344-353.
[2] 朱建军, 安攀峰, 万明. 工控网络异常行为的RST-SVM入侵检测方法[J]. 电子测量与仪器学报, 2018, 5(7): 8-14.
[3] Huang, K., Zhang, Q., Zhou, C., Xiong, N. and Qin, Y. (2017) An Efficient Intrusion Detection Approach for Visual Sensor Networks Based on Traffic Pattern Learning. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 47, 2704-2713. [Google Scholar] [CrossRef
[4] Zheng, Z. and Reddy, A.L.N. (2017) Safeguarding Building Automation Networks: THE-Driven Anomaly Detector Based on Traffic Analysis. 26th International Conference on Computer Communication and Networks (ICCCN), Vancouver, 31 July-3 August 2017, 1-11. [Google Scholar] [CrossRef
[5] Wan, M., Shang, W. and Zeng, P. (2017) Double Behavior Characteristics for OneClass Classification Anomaly Detection in Networked Control Systems. IEEE Trans-actions on Information Forensics and Security, 12, 3011-3023. [Google Scholar] [CrossRef
[6] Mantere, M., Sailio, M. and Noponen, S. (2014) A Module for Anomaly Detection in ICS Networks. Proceedings of the 3rd international Conference on High Confidence Networked Systems, Berlin, April 2014, 49-56. [Google Scholar] [CrossRef
[7] Tonejc, J., Güttes, S., Kobekova, A. and Kau, J. (2016) Machine Learning Methods for Anomaly Detection in BACnet Networks. Journal of Universal Computer Science, 22, 1203-1224.
[8] Mantere, M., Sailio, M. and Noponen, S. (2014) A Module for Anomaly Detection in ICS Networks. Proceedings of the 3rd International Conference on High Confidence Networked Systems, April 2014, 49-56. [Google Scholar] [CrossRef
[9] Ye, T., Jiang, X., Wan, D., et al. (2016) Ultrafast Photogenerated Hole Extraction/Transport Behavior in a New Type CH3NH3PbI3/Carbon Nanocomposite and Its Application in a Metal Electrode Free Solar Cell. ChemPhysChem, 17, 1-9. [Google Scholar] [CrossRef] [PubMed]
[10] Caswell, B., Beale, J. and Baker, A. (2006) Snort Intrusion Detection and Prevention Toolkit. Syngress Publishing, Amster-dam.
[11] 岳洋. 基于Snort的蜜罐系统的设计与实现[D]: [硕士学位论文]. 哈尔滨: 哈尔滨理工大学, 2010.
[12] Kumar, D., Narwal, P. and Singh, S.N. (2019) A Hidden Markov Model Combined with Markov Games for Intrusion Detection in Cloud. Journal of Cases on Information Technology, 21, 14-26. [Google Scholar] [CrossRef
[13] 张文安, 洪榛, 朱俊威. 工业控制系统网络入侵检测方法综述[J]. 控制与决策, 2019(11): 2277-2288.
[14] Han, L., Zhou, M., Qian, Y., et al. (2019) An Optimized Static Proposi-tional Function Model to Detect Software Vulnerability. IEEE Access, 7, 143499-143510. [Google Scholar] [CrossRef
[15] Li, W. and Ren, J. (2018) Distributed Frequent Interactive Pattern-Based Complex Software Group Network Stability Measurement. International Journal of Software Engineering and Knowledge Engineering, 28, 619-641. [Google Scholar] [CrossRef
[16] Cho, D.J., Han, Y.S. and Kim, H. (2015) Frequent Pattern Mining with Non-Overlapping Inversions. In: Dediu, A.H., Formenti, E., Martín-Vide, C. and Truthe, B., Eds., Lan-guage and Automata Theory and Applications. LATA 2015. Lecture Notes in Computer Science, Vol. 8977, Springer, Cham, 121-132. [Google Scholar] [CrossRef
[17] Haslinger, J., Kučera, R., Šátek, V., et al. (2018) Stokes System with Solution-Dependent Threshold Slip Boundary Conditions: Analysis, Approximation and Implementation. Mathematics and Mechanics of Solids, 23, 294-307. [Google Scholar] [CrossRef

为你推荐