Intrusion Detection Of Industrial Cognitive Networks Based On Residual Estimation Of System States With Anomaly Monitoring Of Network Traffic

The industrial cognitive network system(ICNS),integrating communication,computing and control,is a large-scale,distributed,complex,heterogeneous and deeply-embedded real-time system,which is referred to as a core technology of intelligent manufacturing.With the rapid development of networks and information technologies,ICNS is gradually developing towards a distributed,networked and open architecture.The relatively independent and isolated attribute of industrial control systems is gradually broken up,thus the inherent security incurred by system isolation does not remain.However,security monitoring and protection measures for ICNS are far from satisfactory.Various viruses and Trojans,represented by Stuxset,seriously threaten the safety of ICNS,thus it is urgent to develop efficient and effective ICNS intrusion detection methods to ensure the safety of the running of ICNSs.Concealed attacks can camouflage or hide their attacking behaviors in legitimate network data flows based on the acquired system knowledge and the historical data of sensor system nodes,to avoid being detected by traditional network intrusion detection methods,resulting in high missing detection rate.Moreover,sensor system data flow fluctuations caused by the mode conversion of an industrial control system is easy to be determined as an attack behavior by traditional network intrusion detection systems,bring high false alarm rates.To overcome abovementioned issues,an ICNS intrusion detection scheme,integrating system state estimation and network traffic anomaly monitoring,is proposed in this thesis.By introducing a state anomaly detector and a traffic anomaly detector into the security monitoring,it can not only detect concealed attacks with model knowledge and resources disclosure,but also detect system attacks that lead to system state changes,so as to achieve a more comprehensive ICNS security protection systems.The main contributions can be summarized as follows:(1)Aiming at solving the problem of low detection rate and high false alarm rate of traditional intrusion detection methods for covert attacks,a sensory system state residual estimation-based ICNS intrusion method is presented.Firstly,an improved noise-adaptive nonlinear Kalman filtering method based on variation-Baye framework is proposed for the process state modeling of nonlinear sensor system;then the network security monitoring is carried out based on the state(estimation)residual anomaly detection of the system.In addition,to ensure the detection efficiency of large-scale ICNS,a distributed intrusion detection framework is introduced,which clusters the sensor nodes in the ICNS to realize the distributed ICNS security monitoring.(2)Aiming at solving the problem of low stability and strong dependence on algorithm initialization of traditional intrusion detection methods based on traffic anomaly detection,an intrusion detection method based on online adaptive learning of normal / abnormal network traffic mode is proposed.Firstly,an improved N-Burst model is addressed to depict the traffic patterns of ICNSs,and then an improved K-means method based on clustering stability optimization is proposed to learn the normal / abnormal network traffic patterns to establish the corresponding pattern database for online intrusion detection.In addition,to further improve the detection rate of rare and unknown intrusion types and reduce the false alarm rate,a cache mode database based on the normal mode database and the abnormal mode database is introduced for sparse or unseen attack detection,so as to reduce the false alarm rate and improve the performance of ICNS intrusion detection system.Finally,the effectiveness and performance superiority of the proposed intrusion detection scheme was verified by numerical simulation systems and TrueTime simulation systems.Experimental results indicated that the proposed method can effectively detect various potential attacks in an ICNS efficiently,which can achieve high detection rate and low false detection rate of both known and unknown attacks,providing a feasible solution for the overall security protection of ICNS.