Research And Application Of The Key Technologies For Industry Control Network Abnormal Status Monitoring

Nowadays,industrial control network has been widely used in many important areas of infrastructure.Because of the lack of clear boundaries between the industrial control network and the external Internet,combined with the limitation of the safety design such as the traditional security protection strategy based on known characteristics of the library and the lack of special safe protection resources on the equipments of the network,in recent years,serious production accidents caused by the safety attack on industrial control network have occurred.This thesis adopts the method of bypass listening to access the dedicated network flow sensor and collect the characteristic data of the network performance status indicators into special message middleware,in order to meet the need of the industrial control network security operation status monitoring and abnormal identification modeling.According to the protocol stack structure of communication protocol in different business subnet,the deep package inspection program is designed to extract the target field of the communication packet and construct the characteristic data of each status indicators.Based on the idea of component-based design,the special collection modules are designed for characteristic data of the network operation status indicators,such as the current access node,data communication connection,network data traffic,node control operation and control behavior sequence,and sending the characteristic data to the special message middleware.By means of the subscription configuration instructions and heartbeat data mechanism,the function parameter adjustment and operation status monitoring of network flow sensors are realized.Taking the IEC 104 statute communication protocol commonly used in the power SCADA system as an example,the realization of the whole acquisition process is introduced.Combining the working characteristics of different networks,the operation parameters such as white list threshold for each network flow sensor are set.And the white list of access nodes,communication links list and nodes' operation list are adaptively generated to identify illegal operation and abnormal access in the network.Combining the production business difference of the each control subnet,the semantic vector model is used to realize the vectorization and numerical expression modeling of control behavior sequence within each network,retaining the frequency domain characteristics and context relations of control operation within the sequence of control actions.Because the abnormal sample data is difficult to obtain in the actual production environment and the abnormal working status of industrial control network is the lack of clear definition,the one class support vector machine algorithm is used to model the behavior sequences feature vectors based on the semantic vector model for each control subnet,so as to realize the recognition of abnormal behavior sequences.Finally,the efficiency of deep packet inspection program,the functions of parameters configuration and uploading heartbeat and the effect on the accuracy of different ways of behavior sequence identification modeling are validated and evaluated in the experimental environment.