Research Of Anomaly Detection System For Industrial Control System

Industrial Control Systems (ICS) serve as the core system of power, metallurgy,chemical industry, petroleum, natural gas, water, transportation and other industrialinfrastructure. The safety of such system directly relates to the public safety and nationalsecurity. For a long time, ICS is a closed proprietary system and physical isolated fromInternet. The design idea of such system is to consider the functionality, availability,testability and controllability. However, as the development of internet and informationtechnology, especially the widely application of Internet, cloud computing and Internet ofThings, ICS gradually transforms from a closed system to an open system (such asallowing remote control and connecting to other inner systems), from a proprietarytechnology system to a common technical system (such as using Windows operationsystem and TCP/IP protocol). The information security of ICS has raised high attention ofgovernment agencies, large state-owned enterprises and the universities, and becomes aresearch field of information security for recent years.This thesis took a deep study by the logic line:“PC System AnomalyDetection——Upper and lower computer communication anomaly detection——lowermachine data anomaly detection”. First, deeply analyze the current situation of ICS’development an information security. Analyzed the existing methods of protection(industrial firewall technology) and its limitations. Researched and analyzed the currentmain anomaly detection techniques. Secondly, this paper analyzed the architecture detailsof the ICS and divided the ICS into three regions:“enterprise zones”,“PC Zone” and“lower machine zone” to take security protections for different levels. For the PC Zone,this paper researched on file changed anomaly detection and designed the file changedanomaly detection processes and methods. Based on the concern of the upper and lowercomputer communication anomaly detection, this paper researched on the technology ofSnort and the grammatical structure of the Snort Rules. Then a series of Snort rules basedon MODBUS protocol is designed. For lower machine zone, this paper proposed anadaptive clustering algorithm for mining outliers （ACBOD，Adaptive Clustering-BasedOutlier Detection）to detected the control data of Lower machine based on its property ofcontrol data, communication protocol and high real time with the technology of clusteralgorithm.Based on these studies, ASP.NET is used to implement the “Anomaly detection system for ICS”. The system contains three modules:“PC system files change anomalydetection module”,“upper and lower computer communication anomaly detection module”,“lower machine data anomaly detection module”. Three experiments have been taken toanalyze the prototype system. The experimental results demonstrate the validity, accuracyand usefulness of the system.