Research On Industrial Control System Intrusion Detection Technology

As Industrial Control System(ICS)is an important part of the national critical infrastructure(such as electric power generation,waste water collection systems),it is very important to guarantee their safe operation.In the past,these systems were selfcontained and totally isolated from the public network.In recent years,the rapid development of computer technology and the popularity of “Internet Plus” have increased their connectivity to the public networks,leading to an increase in cyber-attacks against industrial control systems.Research on information security of industrial control systems has become more important,and intrusion detection is a main branch.According to the location and source of data collected,in ICS,IDSs can be categorized into network-based and application-based IDSs.In network-based IDS,there is a problem that the research on the security of the Modbus serial line is relatively lacking.In application-based IDS,due to the real-time requirements of industrial control systems,the efficiency of some detection algorithms using machine learning methods is not high enough.Based on previous researches,this paper makes a further study of the network-based IDS and application-based IDS in industrial control systems.Here is a summary of main contributions:1.Summarize the typical abnormal behavior on the Modbus serial port into six categories: illegal protocol messages,reconnaissance,attempted denial of service,denial of service,response injection,and command injection.Based on this,this paper summarized 19 abnormal behaviors and listed their detection characteristics.Then,some detection rules for abnormal behavior for Snort is proposed and a test sample is provided.2.A method for calculating the k-value of k-Nearest Neighbor is proposed to avoid human error and low processing efficiency.In the original detection method,the k-value of the nearest neighbor in the criticality scoring technique is given by experience.In this paper,we establish a mathematical model to transform this problem into a process of finding jump points,so as to calculate a more appropriate value of k.The improved method enables a better distinction between the score value of normal data and the score value of abnormal data.The score value of normal data is concentrated in the interval where the score value is small,and the score value of abnormal data is in the interval where the score is relatively large.It also makes the radius of the divided micro-clusters as large as possible,which reduces the number of detection rules and improving the realtime performance of detection algorithm.3.A method to reduce the number of micro-clusters by readjusting micro-clusters is proposed,which reduces the number of detection rules and improves detection rate while ensuring accuracy.In the method proposed by Abdulmohsen Almalawi et al.,a fixedwidth clustering technique was used to divide micro-clusters and extract detection rules,and uses empirical values to select the width parameter w(the width of the micro-cluster),which may result in the problem of obtaining more detection rules because of the small width and requiring a longer detection time.This problem is contrary to the limited hardware resources and high real-time requirements of the industrial control system.This paper has improved this process and verified the superiority of the improved method through simulation experiments.