Research And Implementation Of Anomaly Detection Method For Industrial Control System Network Traffic

With the rapid development of information technology,ICSs(Industrial Control System)have broken the traditional form of physical isolation and are increasingly connected to external networks.Although this makes the ICS more productive,it makes it more vulnerable to attack.In recent years,there have been multiple intrusions of ICSs all over the world,causing very serious consequences and even threatening national security.Therefore,under the requirements of intelligent and automated modern industrial development,the research of ICS intrusion detection has become one of the research hotspots in information security.Anomaly detection research is an important part of intrusion detection research.Based on the analysis and research of various existing industrial control system anomaly detection methods,this paper mainly takes the SCADA(Supervisory Control and Data Acquisition)system and the Siemens S7 industrial control system network protocol as the research targets.Research work in the following three parts:(1)For ICS network traffic with highly periodic characteristics and multiplexing,this paper proposes an automatic modeling method based on I/O channel separation and spectrum analysis,which combines domain knowledge.The method of ICS traffic anomaly detection identifies and groups the traffic data by I/O addresses,and builds an automaton model of the traffic pattern using an optimized spectrum analysis method.Experiments show that this method is superior to other modeling methods in terms of model accuracy and reduces human intervention to a certain extent.(2)The abnormal situation caused by the known ICS traffic symbols is more difficult to detect than the unknown traffic symbols.In order to better represent the network traffic mode of the industrial control system and reduce the false positives of the abnormal detection model,this paper combines the physical level of the industrial control system to divide the traffic into different dimensions,so as to study the multi-level anomaly detection modeling of the network traffic of the industrial control system.The experimental results show that the multi-level anomaly detection model can effectively improve the anomaly detection effect.(3)Based on the I/O channel separation and spectrum analysis modeling method and multi-level anomaly detection model proposed above,this paper designs and implements an ICS network traffic model construction and anomaly detection system.