Research On Anomaly Detection Techniques For Industrial Control Process

With more and more information technologies(ITs)integrated into industrial control system(ICS),ICS is becoming more and more open to the outside world,resulting that ICS is extremely vulnerable to cyber attacks.Due to the differences between ICS and traditional IT system,such as system architecture and security requirements,the information security solution of IT system can not fully meet the needs of ICS.Current researches on ICS anomaly detection focus on industrial network,while the physical characteristics of ICS are not fully considered.In view of this situation,this thesis focused on the low level industrial control process(ICP),and utilized the input and output data to detect anomaly.The main work and innovation are as follows:1.Since it's hard to obtain the abnormal data of real ICP,and considering that ICP's operation data approximately obey normal distribution,this thesis studied an one-class classification method based on statistical learning—support vector data description(SVDD),and introduced SVDD to the ICP anomaly detection area.Besides,in view of the high time complexity of solving SVDD model,this thesis proposed a reduced sample set based SVDD method—RS_SVDD.2.Considering that ICS has a strict real-time requirement,and that it will occupy many system resources to handle the high dimensional process data,this thesis proposed a new anomaly dectection method based on state transition graph — STGAD(State Transition Graph Based Anomaly Detection).STGAD transforms high dimensional data into two-dimensional data taking advantage of the temporal characteristic of ICP data,thus simplifys the calculation process.3.Considering the high cost,long construction period and complicated experiment steps of physical equipment,this thesis designed and built a semi-hardware ICP simulation platform based on Tennessee-Eastman(TE)model,which can simulate ICP's normal state,fault state and abnormal state under attack.SVDD?RS_SVDD and STGAD were verified based on the platform,the results show that the detection results of RS_SVDD are the same as SVDD if the reduced sample ratio is more than 30%.The target sample coverage of both RS_SVDD and SVDD on the test sample are more than 96%,and the detection time are no more than 40 sampling cycles,these fully show the effectiveness of RS_SVDD and STGAD methods.