Research On Intrusion Detection Platform And Algorithm Based On Industrial Control Network Traffic Analysis

Industrial control network is the interface between information system and physical system.Due to the lack of necessary security measures such as data encryption and authentication,it has become a target of many malicious attacks under the trend of open network connection.As one of the useful means to protect industrial control system,network intrusion detection has become a main research direction in this field.Many scholars have conducted deep research on this issue,but their results put too much attention to control theory rather than the attack behaviors.What is more,experimental platform and useful dataset are not enough to support their results.The main contents of the thesis are as follows:(1)An industrial control network experimental platform is designed and implemented.This platfonn includes physical part and an extended simulation part based on control network virtualization.The physical system is made up of master and slave controllers,engineer station,operator station,industrial control network and traffic monitoring device.The simulation part is based on Docker,which can expend large-scale industrial control units and provide tools for penetration test.(2)Penetration test structure and process is designed based on concrete analysis.According to the threat elements of industrial control system and vulnerability of typica industrial control protocols,such as MODBUS/TCP,ETHERNET/IP and S7COMM,we summarize attacks which can be implemented in industrial control network.Based on the penetration plan and process guide,we develop and conduct data interception,communication blocking,malicious control and stealthy attack in our platform.(3)An anomaly detection algorithm based on packet static features is verified and improved.We convert the network packet of penetration test in the industrial control platform into text attributes,preprocess text features and filter out samples of specific protocol.These data are used to verify the effectiveness of SVM based classification algorithm.According to the lack of malicious samples,we design an anomaly detection algorithm based on OCSVM with only normal packets.(4)Anomaly detection algorithm based on dynamic prediction model of packets sequence is designed and verified.Based on the analysis of communication mechanism of industrial protocol and network dynamic of packets sequence,we summarize the similarity between industrial communication and natural language text model.We establish a neural network anomaly detection model based on long-short-term-memory neural network and top-k criterion in prediction distribution.The experimental results show that the perfrmance is better than OCSVM anomaly detection algorithm.Finally,we analyze detection ability of this algorithm by data sample visualization.