Design And Implementation Of Industrial Control Network Intrusion Detection System Based On Network Traffic

With the development of industrial control network,a lot of general software and hardware are applied to the industrial control network.At the same time,the industrial control network has become more and more open.While industrial control networks are increasing productivity,they are also facing increasing threats from external networks.Industrial control network protocols including Modbus/TCP lack necessary security mechanisms,which brings great threats to industrial control network with the continuous integration of informatization and industrialization.This paper designs and implements a real-time traffic-based intrusion detection system,which combines with distributed computing technology,for Modbus/TCP-based industrial control networks.First of all,this paper researches the industrial control network architecture,analyzes the characteristics of industrial control network and the threats to industrial control network security.Then,the protocol specifications and security of the Modbus/TCP protocol which is widely used in the industry are studied.The security and vulnerability of the Modbus/TCP protocol are also analyzed and summarized.Secondly,this paper analyzes two intrusion detection technologies of industrial control network,and chooses the anomaly-based method as the main detection technology.In order to design an anomaly-based intrusion detection system,this paper analyzes the traffic collected from the real industrial control network.We can find the instruction of each channel is periodical and stable when separating the traffic into channels.According to these characteristics,after experiments and analysis,this paper designs a multi-dimensional hybrid intrusion detection system including Modbus/TCP packet detection based on Deep Packet Inspection and DBSCAN,instruction frequency detection and instruction sequence detection of each channel based on pattern matching and Bloom Filter.Finally,considering the continuous flow of industrial control network traffic and the requirement of detection efficiency,this paper studies the mainstream distributed streaming computing technology.Through analysis and comparison,we choose to use Apache Flink as the real-time computing technology of the detection system.Then,a real-time detection system is designed and implemented based on Flink and distributed message queue Kafka.Through the functional test and performance test of the detection system,we can see that the detection system not only meets the requirements in terms of functions,but also has the characteristics of sub-second detection delay.