Research On Anomaly Detection Method Of SCADA System Based On Behavior Analysis

Industrial control systems are widely used in industries of nuclear energy,rail transportation,water conservancy,electric power,steel,petroleum and so on.The security of industrial control system mainly depends on the closeness of the system,and the security protection measures are hardly considered.With the interconnection with external systems,the defects of industrial control system are exposed and vulnerable to various attacks.As the core of industrial control system,SCADA system(Supervisory Control and Data Acquisition)is the main target of attack.SCADA systems use proprietary communication mechanisms and protocols,and it is isolated from external public network,which guarantees its security.In order to improve the efficiency of resource allocation and production,SCADA systems become more open and cooperative,and begin to interconnect with external public networks,in addition,private protocols are becoming more open and standardized,but security problems are also growing in the meantime.Frequent industrial control security incidents also indicate that SCADA systems are facing increasingly serious security threats.Intrusion detection is an indispensable part of SCADA system security protection measures.Because of the special network topology and proprietary industrial protocol of SCADA,the intrusion detection methods of IT system cannot be directly applied in SCADA.The research of intrusion detection methods suitable for SCADA system has become a research hotspot.Intrusion detection is mainly divided into misuse detection and anomaly detection.Faced with endless attacks,anomaly detection methods that can detect new unknown attacks have become the focus and difficulty of research.This paper mainly studied the SCADA system anomalies caused by intrusion and their detection methods.The main work of this paper includes:1.The background and significance of SCADA system anomaly detection method were introduced.The methods of anomaly detection for SCADA systems were summarized at home and abroad.SCADA system was introduced and the reasons for its security risks was analyzed based on its network architecture and development characteristics,and the relevant methods was elaborated in detail.2.Aiming at the problem that anomaly detection methods based on traditional machine learning algorithms such as SVM,C4.5 and NN etc.,cannot effectively deal with massive,high-dimensional,time related network traffic data in SCADA system,an anomaly detection method based on GRU neural network optimized by Adam was studied from the perspective of deep learning.The principle and anomaly detection process of this method were described in detail.The comparison experiment and result analysis were carried out on the standard data set of industrial control system.3.In order to meet the requirements of high real-time and distributed deployment for SCASA system,an anomaly detection method based on isolated forest optimized by information gain was studied from the perspective of integrated learning.The principle of the method and the anomaly detection model were analyzed in detail.Simulation experiments of proposed method were carried out on the data set of power system.The innovations of this paper include:1.An anomaly detection method based on Adam-optimized GRU neural network was proposed.The deep structure of GRU was used to fully learn the data features.The update gate and the reset gate of GRU are used to save the information of the data in the time dimension.And Adam algorithm was used to optimize the gradient training process of the neural network.Results of comparison experiments showed that the proposed method had higher classification accuracy than SVM,decision tree,NN and RNN,and the accuracy was basically the same as LSTM but the training time was reduced.2.In order to solve the problem that a large number of redundant features of SCADA data affect isolation tree to segment outliers,an anomaly detection method based on isolated forest and information gain was proposed.Data points with shortest path lengths in each isolation tree were identified as abnormal points,information gain was used to rank features in descending order,and the features with high learning value were taken as input of isolated forests.It can be used for online learning and detection,which can meet the requirements of distributed deployment and real-time detection of SCADA systems.The experimental results on power system attack data sets showed that the abnormal detection method of isolated forest optimized by information gain was superior to KNN,SVM,OneR,RIPPER,Na?ve Bayes and random forest in accuracy and recall rate.Moreover,the small sample training can achieve high AUC and low processing time.