Research On Anomaly Detection Of Industrial Control System Deception Attack Based On Self-organizing Map Neural Network

Industrial control system(ICS)is widely used in key national infrastructures such as water conservancy,transportation,and chemical industries.ICS attacks will cause serious national security problems.In recent years,with the continuous development of IOT(Internet of Things,IOT)and the industrial internet,industrial control security incidents have occurred frequently,such as Stuxnet in Iran,large-scale blackouts in Ukraine and recent Israeli VPN vulnerabilities.ICS abnormal behaviors such as virus intrusions and equipment failures pose a serious threat to people's lives,social and economic development and national security.Therefore,in order to ensure the safety of ICS,the research on ICS anomaly detection technology is of great significanceICS has an obvious hierarchical structure.Among the ICS attack strategies,spoofing attacks on the field device layer and the field control layer damage the ICS by directly acting on sensors and controller loops which interfere with the production process directly.In order to be able to detect ICS anomalies caused by spoofing attacks,this paper proposes an ICS anomaly detection technology based SOM(self organizing map,SOM).The specific work is as follows(1)Establish the general model of spoofing attacks for the field device layer and the field control layer.Take the TE(Tennessee Eastman,TE)process as a typical industrial control system,model and simulate four spoofing attacks(surge attack,bias attack,geometric attack and square attack)and then analyze the abnormal conditions caused by the four spoofing attacks on the system(2)Considering the problems of current anomaly detection algorithms based on machine learning,such as time-consuming and labor-consuming manual labeling of samples,poor detection performance,and high cost of model training in massive data scenarios,this paper proposes a SOM-based anomaly detection technology and take four spoofing attacks as examples to carry out anomaly detection research.The SOM anomaly detection technology proposed in this paper constructs an ICS state model in unsupervised learning,and realizes anomaly detection by calculating the difference between the system state to which the unknown sample belongs and the normal state;For the problem of unsupervised anomaly detection algorithm poor interpretability when the abnormal sample is unknown,this paper proposes an abnormal variable locating technology based on anomalous contribution to improve the efficiency of exception handling.In addition,for the problem of system abnormalities cannot be handled in time or protection program fail to work which cause system crashes or disasters,this paper designs an abnormal responder based on supervised SOM,which is realized by identifying abnormal types and correcting spoofing signals to protect system.(3)Considering the problem that it is difficult for the SOM anomaly detection technology to detect abnormal system state transitions,a hidden markov model(HMM)is introduced to realize ICS state transition abnormal detection by analyzing the dynamic characteristics of the system and characterizing the behavioral pattern of system state transitions.Considering the problem that the traditional HMM parameter training strategy is difficult to apply in the multivariable time series and the unknown number of hidden states scenarios,this paper proposes an improved HMM anomaly detection technology based on SOM,using SOM to estimate the hidden state of ICS,and then training HMM to realize abnormal detection of system state changes.