| Attack events for industrial control systems(ICS)often occur,the abnormal state of the attacked ICS is shown through the data characteristics of field device.The existing anomaly detection technology based on system characteristics relies on the behavioral characteristics of the specific industrial control system and it is difficult to carry out a comprehensive anomaly analysis for all the data of the industrial control equipment.Most of the existing anomaly detection technology based on data characteristics do not fully consider the correlation characteristics and timing characteristics of industrial equipment?s data.Considering the shortcoming of the existing ICS data anomaly detection technology,a new detection method which can take into account the independent anomaly of single field device and the correlation anomaly of multi-attribute data in the ICS is put forward in this dissertation.The main work of this dissertation is as follows:(1)Study the timing characteristics and correlation characteristics of ICS field device data.Based on the analysis of the general structure of the ICS,this dissertation divides the telemetry and remote traffic into continuous variable and discrete variable,and the relationship between the variables that influence each other is also studied.(2)Independent anomaly detection for single attribute.For the discrete variable,this dissertation mainly constructs the range or the possible value set of the variable in the process of training decision model.According to whether the data exceeds the variable range or does not belong to its value set to determine whether there is an abnormal.For the continuous variable,this dissertation mainly constructs the interval and auto regressive model for the variable when training the decision model.When construct the auto regressive model,the least squares method and the AIC rule are used to determine the parameters and the appropriate order of the auto regressive model.According to whether the data exceeds the variable range or violates the chi-square hypothesis test to determine whether there is an abnormal.(3)Associated anomaly detection between different attributes.Based on the analysis of the traditional K-means algorithm and the particle swarm optimization algorithm,this dissertation takes advantage of the characteristics of the global search ability of particle swarm optimization algorithm and improves the shortcomings of the selection for initial cluster center of K-means algorithm,and designs the ICS Association Anomaly Detection Model based on the PSO_K-Means algorithm.In the process of training decision models,the anomalous cluster containing the noise samples is eliminated by calculating the clustering cluster anomaly factor,and the cluster cluster radius is determined based on the mean and standard deviation of the average distance of the objects within a cluster.When the trained decision model is used,the distance between the test object and each cluster center is calculated to determine whether the test object is abnormal.Finally,the ICS anomaly detection experiment is carried out by simulating the water storage heating system in the OMNeT++ environment.The experimental results show that compared with the similar detection model of other literature,the model proposed in this dissertation has a lower false negative rate of abnormal data and the consideration of the data is more comprehensive and has some application prospects. |
PDF Full Text Request