Research On Anomaly Detection Method In ICS Based On Process Data Correlation

Industrial control systems(ICS)are widely used for the supervise and control of critical infrastructure such as energy,chemicals,and waste water treatment.In recent years,industrial control systems have been attacked frequently,causing not only major economic losses,but also serious threats to national infrastructure and human life and property.The existing process data anomaly detection methods based on industrial control systems mostly use machine learning methods to detect anomalies,but such anomaly detection methods lack effective interpretation of abnormal results,and it is difficult to determine the cause of anomalies.Therefore,this thesis proposes an ICS anomaly based on process data correlation.The main methods of testing are as follows:(1)For industrial control systems with discrete control variables,an anomaly detection method based on first-order difference cumulative sum is designed,associate and analyze anomaly according to control relationships between variables.Firstly,aiming at the insufficiency of detecting the turning point of noise data based on the cumulative sum method,a turning point determination method based on first-order differential accumulation sum is proposed.Then,according to the turning point,the control relationship between the actuator variable and the sensor variable is analyzed,and obtain the control set of sensor by traversing the subset of actuator variables;associate the actuator state with the sensor feature to obtain the correlation feature,express the control effect of the actuator variable on the sensor variable,and avoid constructing accurate physical models;finally,use the correlation feature to detect the anomaly,and determine the abnormal interval according to turning point discovery algorithm based on first-order differential cumulative sum.(2)For the industrial control system of continuous control variables,an anomaly detection method based on one class support vector machine extended boundary is designed,to solve the problem of one-class support vector machine in noise classification and explain the abnormal results and trace anomaly based on the correlation of process data.Firstly,the turning point algorithm is used to determine the turning point of the process variable.The process adaptively determines the termination threshold and applies to the process data of different noise levels;Then,according to two features that the cause precedes the effect and the change of the cause must affect the change of the effect,causality is captured and used to construct the causal graph for the traceability of abnormal results;using the unsupervised machine learning method,the support vector machine training process data obtains the classification boundary of normal data,for the lack of classification noise of a class of support vector machines,expands the classification boundary as the abnormal boundary,allowing noise within a certain range.It can reduce the false positive rate of abnormal detection,and analyze the abnormal source according to the causal map for the abnormality variable.(3)The effectiveness of the ICS anomaly detection methods are validated by the data of security water treatment system and the Tennessee simulation platformrespectively.The experimental results show that the proposed method based on process data correlation can accurately detect system anomalies and has low false negative rate and false positive rate.At the same time,compared with the existing correlation analysis methods,the correlation analysis method based on turning points in this thesis is more accurate,and can effectively locate abnormal intervals and traceability.