Research On Abnormal Detection Of False Data Injection Attack In Industrial Control System Based On Improved KPCA Method

Industrial control systems are important parts of industrial infrastructure and widely used in many key fields,such as chemical,energy,power and so on.With the development of information technology,computer network technology has been used in more and more Industrial control systems and a lot of security risks emerged.Industrial control systems are distributed in various production processes.Once an abnormality occurs,it is likely to cause serious consequences,such as equipment failure,production interruption and casualties.If we can find abnormal conditions and take safety measures in time,the losses can be alleviated.Therefore,it is important to study the abnormal detection technology of the industrial control systems.This paper focuses on the following aspects of the anomaly detection of network security in industrial control systems.(1)This paper introduces the background and significance of the research and analyzes the difference between industrial control systems and traditional information systems.It also summarizes the current research status of network security research in industrial control systems and introduces the advantages,disadvantages and applicable scenarios of anomaly detection methods based on knowledge,mechanism model and data-driven.The industrial control systems have task characteristic,large scale and nonlinear property.A scheme for detecting abnormal conditions of industrial control systems based on network security situation awareness has been proposed.(2)The typical hierarchy of industrial control systems has been introduced.According to the system's vulnerability and task characteristics,this paper focuses on the production control loop composed of the field control layer and the field device layer.Then we build a mathematical model of the loop and analyze the attack's type and location.After modeling these attacks and analyzing their characteristics and consequence severity,this paper focuses on the research of fake data injection attacks,(3)The principal component analysis method's feasibility for the detection of abnormal conditions in industrial control systems has been analyzed.The basic principles,statistical indicators and abnormal situation detection process of the principal component analysis(PCA)method and the kernel principal component analysis(KPCA)method are introduced.In this paper,a representative TE process is selected as the simulation platform.Several types of false data injection attacks are performed on the reactor internal pressure.The detection results of the system's abnormal conditions show that the KPCA method is more suitable for nonlinear system.But there are still two problems.One problem is that the KPCA method cannot detect small amplitude deviation attacks and random data attacks effectively,the other one is that if the working state of the system changes during the operation,the KPCA method can cause serious false positives.(4)For the detection problem of small amplitude deviation attacks and random data attacks,the threshold method based on wavelet transform is used to process the collected system data samples before detection to remove noise.Simulation results show that this method can effectively improve the signal-to-noise ratio of data samples.The KPCA method based on processed data samples can detect abnormal conditions caused by small amplitude deviation attacks and random data attacks effectively.(5)The model of the traditional KPCA method is fixed and cannot be adapted to the variable operating system.In order to solve this problem,this paper proposes an improved KPCA method which called adaptive KPCA method.The implementation of this method is based on the sliding window mechanism and the forgetting factor.Following the system conditions' changes,model of this method can be updated dynamically.The simulation results show that this method can distinguish the system's normal working conditions and abnormal conditions clearly.This method can effectively detect abnormal conditions,which are caused by various types of fake data injection attacks while the operating conditions of the system have changed.