Detecting Anomalies In Industrial Control Systems Based On Network Traffic

With the introduction of Industry 4.0 and Made in China 2025,the integration of the promoted industrial Internet and information networks has accelerated.The traditional network communication technologies have been widely used in industrial control networks.With the upgrade of the new generation of industrial Internet,the control network based on networked architecture is also widely used.Because of the wide range of application scenarios and system performance requirements,it is difficult to adapt to the complexity of today's industrial control scenarios by relying solely on the separation and closed security protection measures of the control system network environment.The industrial control network usually only achieves the availability of the system when it is built,and rarely takes into account the security problems of the control network,resulting in high security risks in industrial control systems.In recent years,industrial control safety incidents have occurred frequently,the network security of industrial control systems as critical infrastructure is more important.At present,in the traditional network security field,many types of detection methods used by industry and domestic and foreign researchers occupy an important position in the field of network security protection.With the development of machine learning technology,this field has also become the main research direction.These anomaly detection methods based on traditional machine learning algorithms have the following problems: First,a large number of professional audits and feature engineering experiments are required on network traffic to collect high-quality feature sets to ensure the accuracy and effectiveness of detection.However,this method is inefficient and expensive;secondly,it is difficult for the model to reduce the impact of mixed data packets in a complex system,it is difficult to identify the flow characteristics of multiple timings,and the public real flow data for the control system network is very scarce.This paper constructs an anomaly detection method based on the network flow of the power core control system to solve these two problems.This method uses the end-to-end structure to solve the problem of the difficulty of parsing private protocols,and uses the Transformer-based encoder structure to extract complex sequential features between flows Support classification detection.And on the intelligent power generation distributed control system and intelligent power transformation system platform,a data set for abnormal behavior detection was constructed.The main research work and innovation include:(1)The effective timing relationship and association relationship between the traffic are used to support detection,the vulnerability of the above-mentioned systems using communication protocols is analyzed,and common attacks are carried out in a real industrial control network environment,and a summary analysis is performed.Introduced penetration testing schemes for related control systems,designed and implemented communication data tampering,denial of service attacks,Industroyer virus attacks,and scanning sniffing.By analyzing the organizational structure of the power core control system,based on the distributed control system in the power generation environment,the network flow of communications and other actions such as telemetry and telemetry in the intelligent substation system is collected and collected.(2)This paper analyzes the impact of mixed data packets in complex power control system networks and the difficulty of parsing private protocols on feature extraction and detection algorithms,designs and implements feature extraction schemes and sequence analysis algorithms based on the characteristics of industrial control systems,and studies their timing and correlation features.By preprocessing the data packets of different subsystems to generate traffic clusters,it is prepared for the subsequent extraction of the timing characteristics and associated characteristics of the data packets.The original network traffic is used as the input of the neural network through the deep learning algorithm,and the feature extraction work is completed through the end-to-end model.Reduce the dependence of traditional machine learning algorithms on feature engineering and improve efficiency.Three different classifiers were used to carry out verification experiments.The conclusions show that the processing method meets the actual application scenarios in terms of detection accuracy,precision and F1 value.(3)The improved convolutional neural network algorithm is verified and researched to complete anomaly detection.By constructing the electric power industrial control network penetration test platform,collecting the original traffic grouping formed by the system network data packets,and completing the preprocessing experiments on the traffic grouping,the effectiveness of the classification algorithm based on the convolutional neural network in abnormal traffic detection is tested.According to the fragility of the actual industrial control scene,anomaly detection algorithm based on convolutional neural network is constructed on the power control system data set.(4)An anomaly detection model for industrial control network based on attention model is proposed and verified.By analyzing the communication mechanism of the industrial control network protocol and the dynamic characteristics of the flow data packets,the similarity between the industrial control network flow detection and natural language text processing is found.Based on Transformer's Multi-Head Attention mechanism,an anomaly detection model is established,and its performance is found to be superior to convolutional neural networks and traditional anomaly detection algorithms through experiments.Combined with the detection results to build a visualization system,it can intuitively analyze the detection capabilities of penetration test attacks.