| With the development of automation technology, the real-time data of industrial SCADA control systems has been highlighted its central position. They are transmitted via wireless digital radio, and describing the state of remote devices, making strategic decisions and sending control commands and providing the upper application systems. Data security has become the key factor in system security. The data of wireless digital radio which is under the SCADA system is facing uncertain and diversified security threats, such as data monitor, forgery, buffer overflows etc.. Therefore, it’s meaningful to study abnormal detection methods with high accuracy rate and adaptable, filter out the abnormal data packets which has affected the security of system, while ensuring the real-time requirements.Traditional anomaly detection technology analyzes the feature of package specification protocol for network anomaly mostly, and it does not combine with the upper application to analyze specific numerical and detect the abnormal behavior. However, the data of wireless digital radio in SCADA system which uses polling feature and combines with the upper applications has business constraints and smooth floating law. In this paper, anomaly detection methods based on the time sequential, constraint model and floating law were designed, which toke full consideration of data characteristics, abnormal data types and characteristics of the wireless digital radio in SCADA system with high applicability.Abnormal time sequential detection method extracted received interval and height characteristics. K distance factor was used to determine the abnormal pattern. The method compressed amount of the original data, compensated for the limitations of the abnormal behavior and adapted to the time sequence features. Abnormal constrained relationship detection method estimated the error using equivalent constraint method based on system business constraint model. The method integrated multiple values to ensure the correctness of the threshold. Abnormal float law detection method used the AR model to calculate the fit residuals in order to circumvent the normal volatility characteristics. Wavelet transform technology described the mutant character. It used recursive wavelet decomposition for online real-time detection. HMM was used to analysis the wavelet parameters. Meanwhile neighbor standard datasets and business impact factor were added to ensure the accuracy of detection result to adapt the changing business.In this paper, SCADA simulation system based on wireless digital radio and simulated attack tools were developed as an experimental environment. An anomaly detection system was designed and realized. It contained a standard database, feature extraction, anomaly detection and data processing module. Anomaly detection module realized the detection methods designed in this paper. Firstly rough detect the time series, then accurate check the constraints and float. Each module realized parallel processing manner. Experimental results showed that the data latency won’t be increased with the amount of data increase. It satisfied to the real-time requirements. For various types of attack packets, it has a higher detection rate. The methods can effective adapt unpredictable business and abnormal data packets. |
PDF Full Text Request