| Along with the industrialization and the automation turning to the network and the information development,ICS has become an important part of the national critical infrastructure.In recent years,ICS is widely used in many areas like industry,energy,transportation and other important municipal areas,which play an important role in the national development and people's living standards improvement.Security of ICS has attracted widely concern in the public.however,detection methods can identify the intrusion behavior and enhance the security of the system.But there are still some problems,among them,misuse detection technology has high false negative rate,and anomaly detection technology has high false positive rate,the traditional pattern matching algorithm has low detection accuracy and affects the performance of detection.To solve the above problems,this paper proposes a SD-IDS method.The method analyzes the characteristics of Modbus TCP protocol,and combines the idea of misuse detection and anomaly detection.The SD-IDS algorithm is composed of three parts: deep protocol parsing,rule extraction and deep inspection.The algorithm has been greatly improved,such as improving detection precision rate,reducing the false positive rate and false negative rate.First,this paper introduces the idea of intrusion detection technology,and analyzes the advantages and disadvantages of various detection models.The paper analyzes the vulnerability of industrial control system,which lays the theoretical foundation for the SD-IDS method.Secondly,this paper proposes a deep protocol parsing method which based on protocol analysis technology.The method describes the protocol parsing process in detail,and analyzes the packets,so we can get field information of protocol,for example,timestamp,protocol type,length of packet,fields of network layer,fields of transport layer and fields of application layer.Thirdly,in order to overcome the shortcomings of the current detection technology,we propose a rule extraction method.The method consists of four parts: analyzing relations within the packet protocol field,analyzing relation between the communication packets of Modbus master/slave devices,analyzing the periodicity of the same functional behavior class and discussing the change its law of packet protocol field,and analyzing relation between the overall packets reliable communication.The method establishes the rule model by combining the syntax,semantics and timing of industrial network protocol.At the same time,we propose deep inspection model to perform real-time inspection for network traffic.Finally,this paper implements the SD-IDS method.We simulate attacks to test our SD-IDS in experimental environment.The results show that we get a low rate of false positive and false negative,and the method can meet the test requirements of existing attack in this paper. |
PDF Full Text Request