Research Of EtherCAT System Security Analysis And Monitoring Method

The security problem of industrial control system has become more and more serious,with the attack events frequent.At the same time,industrial Ethernet technology has been widely applied to the industrial control field bus,and the openness of Ethernet also opens up a new attack surface.This paper gives a reasonable attack hypothesis,analyzes and realizes the intrusion experiment on the actual system according to the particularity of real-time Ethernet in the ICS field layer,in consideration of the deficiency of the research on attack and detection of Real-time Ethernet,especially EtherCAT in the existing work.As the countermeasure of these attack means,this paper puts forward a real-time Ethernet security monitoring scheme,in which the reasonable system characteristics are selected and reasonable abnormal data for detection experiment is generated.This paper builds a physical EtherCAT network platform on which the attack and intrusion detection module are deployed for verification.The main work of this paper includes:(1)According to the actual factory equipment,the EtherCAT communication environment is built,and the EtherCAT communication mode is deeply analyzed.Based on this,the real-time Ethemet security monitoring platform is realized,including EtherCAT equipment system,attack terminal,intrusion detection module and visualization platform.(2)According to the openness of real-time Ethernet in the field layer,the attacker model is given,the key instruction injection attack and advanced data injection attack against the system are proposed and analyzed,the attack principle and effect of real-time Ethernet system are clarified,and the data manipulation method of system process is clarified The attack experiment is implemented on the built physical platform.(3)Aiming at the key instruction injection attack,a key instruction monitoring scheme based on rule matching is designed to realize automatic rule set generation and visualization of monitoring results.Aiming at process data injection attack,periodic communication model monitoring based on deterministic finite state automata is designed to realize automatic generation of state transition model,collect real factory data and inject reasonable abnormal data to verify the detection method.Aiming at the high-level data injection attack that can bypass the general detection model,a frequency model monitoring method based on gating cycle unit neural network is designed.The communication mode with similar characteristics of non-real time protocol message interval coexisting with EtherCAT protocol is selected,and reasonable abnormal samples are generated to verify the detection ability of the algorithm.