Research On Anomaly Detection Method In ICS Based On Causality

With the advent of the era of Industry 4.0,the attack and destruction of Industrial Control System(ICS)will cause significant social and economic losses and even threaten the safety of personal life and property.At present,the anomaly detection methods for ICS physical process data are mostly machine learning,correlation analysis,and statistical data analysis.However,due to the dependency relationship between ICS's nonlinear data and a large amount of noise,these anomaly detection methods have problems such as poor accuracy,easy loss of potential information,and inability to determine the cause of anomalies due to their poor interpretability.This thesis proposes an ICS anomaly detection method based on causality mutations for ICS physical process data.The main work of this article is as follows:(1)Aiming at the problem that conventional anomaly detection algorithms are not highly interpretable to non-linear data,a causality modeling algorithm based on maximum information transfer entropy is designed.Causality mutations reflect system anomalies and increase or decrease the interpretability of results.First of all,according to the characteristics of the actual ICS is often continuous non-linear data,the maximum information coefficient is used to construct the correlation relationship structure between the system and equipment.Secondly,according to the complicated correlation relationship in ICS,a screening factor is designed to filter the weak correlation.Reduce distractions in subsequent analysis of major relationships.Subsequently,transfer entropy was introduced to transform the correlation architecture into a stable and one-way causal network.And optimize the valuation algorithm to improve its calculation efficiency.Finally,design anomaly traceability rules to obtain a clear anomaly propagation path in a one-way stable causal network.(2)For abnormal equipment located in causal modeling,A univariate anomaly detection method based on hybrid first order difference and cumulative sum is designed to accurately detect anomalies.First of all,in the case of detecting a large amount of noise in ICS data,the Difference threshold based on extended confidence interval strategy is used to add noise allowable errors in the detection.The purpose is to reduce the false positive rate of the algorithm.Secondly,to address the problem that conventional algorithms based on linear boundaries are prone to miss the intermediate abnormal data,the Situation awareness based on difference cumulative sum strategy was used to review the data between abnormal clusters.It reduces the false negative rate of the algorithm.Finally,considering the conventional algorithm is not easy to identify specific anomaly categories,the Anomaly recognition based on ternary Hybrid differential and cumulative sum strategy is used to distinguish the type of anomaly based on the monotonicity of the anomaly sequence,so as to feedback more anomaly correlation to the ICS manager information.(3)In this thesis,The proposed causal modeling algorithm and anomaly detection algorithm are tested for validity on attack test data and fault data based on the TennesseeEastman simulation platform.Experimental results show that,The proposed causal modeling algorithm can locate the anomaly source and trace the anomalous propagation path.In addition,the anomaly detection algorithm can effectively identify anomalous data in a single device and identify the type of anomaly,which has a better accuracy than the comparison algorithm.