| With the rapid development of Internet technology, in order to monitor and manage it more conveniently, industrial control system is also connected to the Internet, however, with the risks following. In recent years, the number of information security incidents in industrial control systems has increased significantly, and the intrusion detection of industrial control systems has received extensive attention. Current research mainly focus on the classification, improving the matching algorithm, or designing corresponding detection rules according to the characteristics of a certain industrial control protocol based on TCP/IP.However, it should be noted that there is no related intrusion detection scheme for the industrial control protocol based on Ethernet layer.In this thesis, we study the most popular intrusion detection framework of Snort and its methods used in industrial control system,the detailed researches are as follows:Firstly, we extend the framework of Snort. Aiming to make the Snort be able to support detections of the commonly industrial control protocol based on Ethernet layer, this thesis improves the package decoding engine of Snort based on PROFINET-RT and PROFINET-DCP,and designs detection template as well as the preprocessor.Secondly, for the programmable logic controller of common industrial control system - the series of Siemens S7-200/300/400, a detection method which adds program monitoring module to Snort is proposed. This module downloads the PLC program block and then calculates the hash value to detect whether the program in PLC was tampered, so as to ensure the safety of industrial control system.Finally, the extended Snort is used to detect the flow of industrial control system and that in the common computer network. The anomaly traffic is identified and alarmed, which shows that the extension Snort can efficiently implement intrusion detection. |
PDF Full Text Request