Research On Key Issues Of Anomaly Detection In Industrial Control System Based On One-class Classification

With the development of information technology and the change of functional requirements in the field of industrial control system,the industrial control systems are gradually connected with enterprise network or Internet,forming a more open network environment.The information security of traditional industrial control systems is mainly based on physical isolation,which lack of special security defense measures to face the challenge of an open network environment.Therefore,the hidden dangers of information security in the field of industrial control system are becoming more and more prominent in the current.In this thesis,optimization schemes for anomaly detection of industrial control system based on one-class support vector machine are proposed,which improved from three key issues:data packet preprocessing,time series feature extraction and incremental classification model.This scheme can not only reduce the impact of the mixing data packets,but also identify various kinds of anomalies,and in the same time refine and improve classification results.Here are the specific achievements of this thesis:Firstly,Analyzing the influence of the mixing data packets in complex system on the existing time series feature extraction algorithm,a pre-grouping algorithm based on the characteristics of industrial control system is designed and implemented,to group different data packets from subsystems.This algorithm,which avoids the interference of the time series characteristics of data packets.Experiments show that the pre-grouping algorithm effectively improves the accuracy of anomaly detection compared with the non-grouping situation.Then,aiming at overcoming the limitation of missing valid feature information in current time series extraction algorithms,two new features,traffic and time interval variance,are introduced and the characteristics of single data packet are modified.The optimized time series feature extraction algorithm can identify more kinds of abnormal situations through experiments.At the same time,the effects of different levels of reference features on feature dimension are compared,which proves the necessity of classification of reference features.Finally,an incremental detection classification algorithm combined with false alarm markers is designed to reduce the occurrence of repeated false alarms and refine the classification results of the anomaly detection model,so as to distinguish the detection results of different risk degrees.Experiments show that the incremental detection algorithm combined with false alarm markers can reduce the number of false alarm repetitions and improve the accuracy of anomaly detection.