Research And Implementation Of Intrusion Detection Technology For Industrial Control System Based On Snort

With the widespread application of information technologies such as the Internet in the industrial field,the combination of industrial control systems and enterprise information security management systems has improved the network and informationization of industrial control systems.Moreover,cyber security threats gradually spread to closed and independent industrial control system networks.As the core of national infrastructure,industrial control systems are widely used in petroleum,chemical,and power industries.In the past few years,attacks on industrial control systems(ICS)have become more frequent and more complex.The most common targets for these attacks are to control / monitor physical processes,manipulate programmable controllers or affect the integrity of software and network equipment.Industrial control system intrusion detection technology,as a typical security protection technology,can effectively detect external attacks and improve the security of industrial control systems.The intrusion detection for industrial control systems is mainly focused on the research based on the IP / TCP protocol,and there is no targeted detection method for the industrial control system protocols based on Ethernet communication.This article analyzes EtherCAT field-level communication principles from a security perspective.Studies show that the EtherCAT protocol,like other Ethernet-based communication protocols,lacks the necessary security parameters,such as authentication,communication encryption and authorization,and is extremely vulnerable to MAC spoofing,Data injection and other advanced attacks.In order to prevent,detect and reduce attacks on key systems based on EtherCAT,this paper summarizes the existing research and proposes an intrusion detection scheme for industrial control systems based on EtherCAT communication.The main work is as follows:First,by analyzing the working principle of the Snort framework,the open source Snort intrusion detection system was improved,and an EtherCAT protocol packet decoding module was added to support data packets that were not processed by the transport layer and the network layer.Secondly,by analyzing the vulnerability of EtherCAT,an intrusion detection template for EtherCAT protocol and an EtherCAT dynamic preprocessor for alarming abnormal traffic are designed.Finally,a novel method called node configuration is proposed and applied to a dynamic preprocessor.The EtherCAT dynamic preprocessor is very different from the ICS preprocessors supported in other studies(such as DNP3 and Modbus / TCP).In addition to supporting traditional rule extensions,it can also process Layer 2 packets and perform deep packet inspection on EtherCAT packets using node configuration methods.This method first identifies the communication nodes approved by the engineering station according to the EtherCAT network information(ENI)configuration file,and then inspects the incoming data packets in depth according to the protocol specifications.Using extended Snort and the proposed trusted configuration method to detect the traffic in the industrial control system,successfully detect related attacks or anomalies and alert the abnormal traffic,which can provide basic security protection on the system based on EtherCAT.