Research On Anomaly Detection Method Of Industrial Control System Based On Behavior Model

With the rapid development of network and information technology,more and more ICS(Industrial Control System)access to information network,which improves the industrial production efficiency,but increased the ICS network security risks.In recent years,with the organized attacks on the ICS network more and more frequent,and ICS is an important part of the national key infrastructure,ICS network security research has become a key issue in the field of information security.By analyzing the current situation of the research,the current intrusion detection method mainly includes the detection method based on traffic statistics,traffic model,and protocol application layer filed and field relationship.However,these methods can't detect the tampering behavior data or control program attacks,so the paper presents an industrial anomaly detection method based on behavior model.This industrial anomaly detection method mainly includes three parts:Firstly,this paper presents a method to extract the sequence of behavior data based on Modbus TCP.According to the address list of the Modbus application layer in the ICS,we obtain the list of the behavior data address values of the control behavior and process behavior,filter the session traffic containing the behavior data address value from the ICS network traffic,and then extract the behavior data sequence from the register or coil,according to the depth of Modbus TCP protocol analysis.Secondly,this paper proposes a method of constructing behavior model based on data dependency.We extract the behavior data sequence from the normal ICS network,calculate the structural parameter value according to the structural estimation algorithm of the behavior model,calculate the parameter estimation value according to the parameter estimation algorithm of the behavior model,and then convert the acquired behavior model into the state space equation form.Lastly,this paper presents a threshold detection method based on absolute error.We extract the behavior data sequence from the test ICS network,predict the output behavior data sequence using the normal behavior model,calculate the error sequence of the output behavior data sequence and the real-time extracted behavior data sequence,select the appropriate threshold,and then detect the existence of the abnormal intrusion by the threshold detection algorithm to match the threshold short sequence.According to the proposed method of industrial anomaly detection based on behavior model,this paper constructs the model of industrial anomaly detection,and then designs and realizes the industrial anomaly detection system based on behavior model.Furthermore,we build a simulation experiment environment based on the tank level control system and a test environment based on the real physical environment of the chemical mixed reaction process.It is proved that the proposed industrial anomaly detection method based on the behavior model can effectively detect the attack of tampering behavior data or control program.