Network Traffic Anomaly Detection Based On Industrial Control Network

With the continuous fusion of industrialization and informationization, more andmore information technologies are applied to industry, industrial control network turnsclosed network into an open network, meanwhile, lots of security problems arebrought out. The existing security schemes of industrial control system mainly focuson the aspects of access control, security protocol of field bus, configuration softwaresecurity design, but a lot of them are far from being used in the actual productionprocess due to the differences between industrial control network and ordinary ITnetwork. Traffic anomaly detection is one of the effective methods which can protectthe industrial control system security. In the light of the present situation of industrialcontrol network, this paper emphasizes the security detection in industrial controlnetwork, and makes related research mainly from the perspective of network trafficcharacteristics.Since Internet was invented, the study of common IT network has never stoppedand it has obtained many results. Intuitively, the traffic characteristics of industrialcontrol network and common IT network must be different. There are few researcheson the traffic characteristics of industrial control network currently, and most of themonly use network simulation to obtain the traffic data to analyze which may causeserious deviation between the findings and the actual results. In this paper, we firstcollect the traffic of industrial control network based on industrial Ethernet in a realenvironment. Then we compare the traffic with the common IT traffic, and make adetailed analysis of their important characteristics and the reasons why they aredifferent from the common ones. After knowing all the traffic characteristics ofindustrial control network, we study its influence on the modeling of network trafficand propose a method which based on multiple seasonal ARIMA to model the normaltraffic of industrial control network. Finally, we simulate the Stuxnet attacking trafficand detect it by the prediction of normal traffic using multiple seasonal ARIMA model.The experimental results show that the proposed method has a good detectionperformance.