On The Research Of Data And Model-driven Dynamic Cyber-security Protection For Industrial Cyber-physical Systems

Industrial Cyber-Physical systems(ICPS)are networked control systems which tightly integrate communication,computation and control techniques.ICPSs have been widely applied to industrial sectors,including manufacturing,power grid,water distribution,transportation and so on,thus playing a vital role in national economy and our daily life.Since cyber-attacks against ICPSs could cause harm to the physical world,such as economic losses,casualties,environmental pollution,etc.,it is of crucial importance to guarantee the security of ICPSs.This thesis,with focus on the security issues of ICPSs,investigates the system architecture,operation features and security requirements of ICPSs,introduces the idea of closed-loop control to cyber-security field,combines the security knowledge and big running data in ICPSs,and proposes a data and model-driven dynamic cyber-seucrity protection approach for ICPSs.Specifically,this approach includes three parts: intrusion detection,risk assessment and decision-making,which can help actively defend ICPSs against cyber-attacks and guarantee the operational security by means of timely detecting cyber-attacks,assessing system security risk and making active defense strategies.Traditional deep-packet-inspection-based intrusion detection methods can not detect unknown or denial-of-service attacks,and they usually require many computation and storage resouces,so these methods are not fit for ICPSs with limited resources and hard real-time requirements.Therefore,a traffic pattern learning-based intrusion detection approach is proposed for ICPSs.This approach builds a N-Burst traffic model and extracts traffic features after analyzing the communication patterns in ICPSs,then feds these traffic features into a hierarchical self-organizing map(HSOM)to learn traffic patterns.The trained HSOM is further applied to online intrusion detection,and it can detect virious kinds of known attacks and even unknown attacks.Meanwhile,with consideration to the problem that security-related data is scarce in ICPSs,an active learning-based training algorithm is devised to overcome the difficulty of imbalanced dataset learning,which can help the HSOM to improve the intrusion detection accuracy and accelerate the training speed.Dynamic risk assessment is responsible for evaluating security situation and predicting attack behaviors.As the cyber layer and physical layer of ICPSs have significant differences,to conduct cross-layer risk assessment is quite difficult.Accordingly,this paper proposes a cross-layer risk assessment approach based on Bayesian network(BN)and stochastic hybrid system(SHS)model.In the cyber layer,BN is adopted to characterize the attack propagation process and predict the probabilities of compromise for all the system host(including the nodes in thephysical layer),and then calculate the cyber risk value.In the physical layer,SHS model is employed to describe the evolution of physical systems under attack,and an unbiased state estimator is designed for each hybrid state to estimate the states of the physical system under attack,which can help compute the physical risk value by evaluating the availability metrics of the physical system.Besides,since ICPSs have complex system architectures and a large quantity of devices,it is troublesome to assign the parameters of the risk assessment model.In order to sovle this problem,an offline batch learning algorithm and an online incremental learning algorithm are proposed for the BN-based risk assessment model,which can significantly reduce the workload of security experts and improve the accuracy of risk assessment process as well.Security decision-making seeks to defend against attackers by generating defense strategies according to system security situation and attack behaviors.Considering that security protecting is a game process between the attacker and the defender and the attaker's behavior is usually uncertain due to the lack of complete knowledge about the target system,a stochastic game-based security decision-making approach is proposed for ICPSs.This approach constructs a stochastic security game model whose game state transion probability distributions come from the BN in the risk assessment module and payoff parameters are obtained through a time-based unified cyber-physical attack-defense payoff quantification mechanism.Then an optimal decision-making algorithm is devised to sovle the game problem,which generates the defense strategies.Moreover,a Q-learning reinforcement learning algorithm is designed for the proposed stochastic game model to acquire the optimal defense strategy profile by means of iterative learning when game model parameters can not be accurately specified in advance.By implementing the obtained optimal defense strategies,the defender can prevent against malicious attacks online and minize system loss.At last,a summary of this thesis is presented,the novelties of the presented work are explained,and the future work is also discussed.