Research On Threat Defense Technology For Industrial Control Systems

The industrial control system is the nerve center of the country's key infrastructure,and is directly related to the safety of the industrial production environment.With the development of the Industrial Internet,the connection between the industrial control system and the external Internet has become more frequent,leading to more expose attack paths and more serious security threats.Faced with this problem,traditional security protection methods have been unable to effectively defend.Therefore,this paper proposes to use industrial control honeypot technology to threaten trap and protect real equipment.And when the trap fails,the intrusion detection module is called to further remove the attack traffic.The main work and innovations are as follows:(1)This thesis proposed an ICS lightweight virtual honeypot construction method that relies on high-interaction honeypots.It is used to solve the problems of limited interaction capacity and excessively complicated construction of industrial control virtual honeypots.By observing and recording the interaction process between the attacker and the high-interaction honeypot,a communication template is established.When the attack stream is received later,the communication template is queried and a response packet is constructed to respond.Experimental results show that this method can reduce the resource occupancy rate on the basis of ensuring the interactive ability,and achieve the purpose of lightweight deployment.(2)This thesis proposed an ICS honeynet framework based on the combination of virtual and real devices.This framework is used to solve the problem that the simulation of ICS virtual honeypots is difficult to improve and the physical honeypots are difficult to deploy on a large scale.By deploying virtual honeypots in the cloud and locally deploying real equipment,to achieve cloud-to-local many-to-one mapping.After the attack arrives,the honeypot is dynamically scheduled to respond to the attack.Experimental results show that the framework's intrusion trapping ability is better than the current mainstream ICS honeypot scheme.(3)This thesis proposed an ICS anomaly detection system based on multi-layer dependency modeling,which is used to solve the problem of trap failure after the honeypot is identified.This method divides traffic into three levels:traffic,packets,and content.To build the dependencies between the different layers of data through the parallel LSTM neural network,to maximize the use LSTM long sequence learning ability,detect abnormal traffic of industrial.Through experimental evaluation,the detection precision of this method reached 96.9%,and the detection precision was improved by 7.2%compared with the non-layered model.