Research On ICS Intrusion Detection Methods Based On One Class Support Vector Machine

Industrial control systems are widely used in the connection,monitoring and control of important national infrastructures such as nuclear power,chemical industry,water conservancy and energy.Once attacked,it will cause serious harm such as facility paralysis,environmental pollution,economic losses and even casualties.With the continuous integration of industrial control systems and IT technologies,they are gradually exposed to new threats,increasing the possibility of network attacks.Therefore,strengthening the research of industrial control system security protection technology has become one of the core contents of national security strategies.Intrusion detection is a key part of the security defense of industrial control systems.By collecting and analyzing key data in the system,abnormal behaviors inside and outside the system are detected in real time,and then corresponding protection measures are taken.It can effectively enhance the attack detection and early warning ability of the system.However,due to the great difference between industrial control system and traditional IT system,it is difficult to fully meet the security requirements of industrial control system by using traditional intrusion detection technology.For this reason,it is necessary to design reasonable intrusion detection methods according to the security requirements and vulnerabilities of industrial control systems to improve the intrusion detection rate of industrial control systems and reduce the system's false alarm rate and false alarm rate.The main work of this paper is as follows:(1)Aiming at the security protection problem at the field level,a white list protection method based on Modbus function code classification depth detection is proposed.The method has low computational complexity,realizes comprehensive detection of Modbus Tcp data packets from network layer to application layer,and configures whitelist rules according to function codes and their corresponding data format characteristics to intercept illegal data packets.The protection method can analyze the application layer data content of the message,and support to limit the threshold value of the address range,number and written value of the function code and the corresponding operation object.The white list rules are classified and managed,and corresponding storage management strategies are configured for different types of rules,so as to improve the query and matching efficiency of rules,ensure the real-time communication of the industrial control system and improve the security protection performance of the system.Finally,the effectiveness of this method is verified by experiments.(2)Aiming at the security protection of process monitoring layer,an intrusion detection algorithm based on single-class support vector machine is proposed.Firstly,aiming at the problems of large volume,high dimension and strong nonlinearity of industrial data,Fisher-score is introduced into kernel principal component analysis algorithm,and the feature extraction of data set is carried out by considering the category information and total information of samples;Then the hierarchical collaborative immune particle swarm algorithm(HCIPSO)is used to optimize the OCSVM parameters,which solves the problem of particle swarms easily falling into local convergence and enhances the overall performance of the algorithm.Finally,an intrusion detection model based on FKPCA-HCIPSO-OCSVM is constructed.And conduct comparative experiments to verify.The results show that compared with other algorithms,the method in this paper has short training time,strong learning ability and generalization ability,high accuracy rate,relatively low false alarm rate and false negative rate,and can better meet the requirements of industrial control systems for intrusion detection,which has certain practical value.