| In recent years,APT attacks swept the world. APT attacks with abundant funds,advanced technology, long dormant, a huge threat to the characteristics, even like the international type companies like Google are not immune. APT attacks against industrial control area directly related to the relationship between the people and the nation's critical infrastructure damage. Since the 2010 Iran's Bushehr nuclear power plant by the earthquake the attack of network virus,APT attack against the ICs system has become a focus in the industry and experts and scholars of the field security institutions in various countries,industrial control.At present, with the development of ICS technology,IT technology has been integrated into the system. It technology into the ICs system by the original independent system has the open,convenient and is also associated with the risk. Due to the ICs system is different from the characteristics of IT systems, although there have been many will it system security countermeasure application examples from the ICs system, some ICs system specific security vulnerabilities still did not effective solutions. Combined with the seismic study of the characteristics of network virus attacks and the existing literature. This paper is mainly concerned with the two according to the characteristics of ICs system attack: under the format in a completely normal network communication data packet circumstances, there will still be based on sequence and based on two time sequence method of attack.In this paper, a discrete time Markov chains in a hierarchical timing aware of intrusion detection system based on, four layers, for data processing and intrusion detection. Data processing part consists of three layers, using Snort Intrusion detection software, based on Modbus Protocol in the industrial control network data capture and filter. After according to the data features of Modbus protocol will data according to the concept of "events" were extracted, finally, according to the Markov chain model abstract data into two parts of the state and jump. In anomaly detection of training and testing phases, intrusion detection system data processing part respectively according to the two stages of data modeling, the existence of intrusion to judge the work completed by the detection part of the intrusion detection system.In the part of intrusion detection, this paper firstly,unique to the ICs system of based on sequence and classification based on time sequence of attack, and according to the need for detection of anomaly detection algorithm is proposed. , according to the characteristic of the ICs system data, in the three aspects of the importance of data, data semantics and data rules,of anomaly detection algorithm was improved,so that the intrusion detection system false alarm rate decreased obviously and can differentiate the dubious safety behavior and suspicious intrusion.Finally,this paper built by Laboratory of ICs system simulation environment is presented in this paper the percept sequence intrusion detection system test. The improved algorithm is compared to the improved algorithm can effectively reduce the false alarm rate and higher detection efficiency and accuracy. The results were consistent with the expected. |
PDF Full Text Request