Research On Stochastic Attack Oriented Industrial Control System Attacks Modeling And Detection

Industrial control systems(ICSs)have been widely implemented in national critical infrastructures,such as water,transportation,energy,and chemical industry.Therefore,the security of ICS will directly influence the operation of critical infrastructures.Once ICSs are attacked,the stability and security of the physical world will be undermined,disastrous consequences such as environmental pollution,power failure,oil and gas leak,and even explosions will be caused.Particularly,in recent years,the power grid,transportation,and other critical infrastructures have been frequently attacked by the Stuxnet virus,Duqu virus,flame virus,and other malicious man-made attacks,posing a serious threat to people's lives and safety,socio-economic development and national stability.Therefore,the study of ICS attacks has attracted widespread attention.Attacks directed at ICS are characterized by strong stealth,high complexity,and great harm.In particular,stochastic attacks,such as the Stuxnet virus,have unknown attack behaviors and unpredictable attack sequences.Therefore,how to extract attack features to analyze the dynamics of the control systems under stochastic attacks,how to model stochastic attacks to improve the ability to identify attack behaviors,and how to design an efficient attack detection scheme to improve the accuracy of attack detection are important for ensuring ICS security.Focusing on the above research difficulties,this thesis proposes a stochastic attack-oriented ICS attack modeling and detection research,the main research contents and innovations are as follows.(1)Study of ICS attack scenarios under stochastic attacksBased on the analysis of security characteristics of control systems under stochastic attacks,the states of control systems are divided into four types:normal state,unstable state,shutdown state,and disaster state.To depict the dynamics of control systems under stochastic attacks,the attack scenarios(normal scenario,unstable scenario,shutdown scenario,and disaster scenario)based on the transition characteristics of system states are proposed.(2)ICS attack modeling and detection for time-invariant stochastic attacksTo address the problem of uncertainty in system dynamics and the difficulty in modeling time-invariant stochastic attacks,the potential complex distributions in the system state space is analyzed and an attack modeling method based on the hidden Markov model(HMM)is proposed.The probabilistic dependencies of the system states are described by using the directed graph model,and then the control process under stochastic attacks is modeled.Furthermore,considering the difficulty of modeling complex attack sequences under the two strict conditional independence assumptions of HMM(One is the assumption that the next state is only dependent on the current state and the other is the assumption that the current observation is only dependent on the current state.),an improved attack modeling approach based on conditional random field(CRF)is proposed.By using the undirected graph,the correlations between observations and states are modeled,the potential dynamics of the system are described,and the ability of identifying system states under complex time-invariant stochastic attacks is improved.The efficiency of the proposed ICS attack models for time-invariant stochastic attacks is verified by simulation experiments,and the experimental results indicate that the CRF-based attack detection method is superior to the HMM-based attack detection method in recognizing system states and detecting attacks.(3)ICS attack modeling and detecting for time-invariant stochastic attacks with characterizations of changing attack intensitiesFor a group of time-invariant stochastic attacks with similar attack amplitudes but distinctive attack intensities,it is difficult to learn and distinguish different attack strategies using class-based methods because of the small gap between classes(i.e.,the amplitudes of attack signals are very similar to each other).To solve this problem,an attack detection method based on the hidden conditional ordinal random field(HCORF)is proposed.By introducing an ordinal regression-based hidden layer model into the conditional random field(CRF),the attack sequences can be modeled as ordinal sequences,thus each type of attack is assigned with an ordinal label.Therefore,the dynamics of time-invariant stochastic attacks can be described,the characterizations of changing attack intensities can be extracted,and finally,the inter-class correlations of a specific attack can be modeled.Besides,considering the problem of parameter estimation errors of the attack model caused by random missing data,a marginalization algorithm,and an improved forward-backward algorithm are proposed to solve the problem of parameter estimation for HCORF.Thereby,the accuracy of the attack model subject to missing data can be improved.The results of simulation experiments demonstrate that the HCORF attack detection method based on ordinal regression is more accurate in attack detection than the class-based method,and that the HCORF method can effectively identify attacks in the presence of random data loss.(4)ICS attack modeling and detecting for time-varying stochastic attacksCompared with time-invariant stochastic attacks,the occurrence of system states under time-varying stochastic attacks is more unpredictable,so the time-varying transition probabilities are proposed to model the system transition behaviors under attacks.The transition probabilities of system states are estimated by using observations.Thereby,the problem of modeling system dynamics for control systems under time-varying random attacks is solved.Besides,a time-varying hidden Markov model(HMM)based on time-varying transition probabilities is proposed for modeling time-varying stochastic attacks.And an attack detection framework is also developed to detect time-varying stochastic attacks.Besides,to deal with the problem of random data loss,the expectation-maximization(EM)algorithm is used to estimate model parameters.Finally,a simulation experiment is conducted to verify that the time-varying HMM-based method has higher accuracy in detecting time-varying stochastic attacks than other classical machine learning methods.And the results also indicate that the proposed method can effectively detect attacks in the presence of random data loss.(5)Improved model for time-varying stochastic attacks under random noise interferenceTo address the problem of inaccurate system modeling and high false alarm rates of attack detection caused by random noises(outliers),the distribution characteristics(heavy-tailed non-Gaussian)of the anomalies are analyzed and the assumption of the student's t-distribution is made to build a statistical model for outliers.To address the problem that the estimation accuracy of time-varying transition probabilities decreases at the interference of outliers,a time-varying HMM based on scheduling variables is proposed to improve the sensitivity of the attack model to perceive changes in the attack signal;and considering the existence of hidden variables in the HMM,the EM algorithm is used to estimate parameters.Finally,the simulation is conducted to verify the effectiveness of the proposed attack detection method in detecting attacks subject to outliers.