Research And Application Of Industrial Control System Intrusion Detection Based On Traffic Model

Industrial control system is the cornerstone of national critical infrastructure and public service construction,its security is related to the national economy and people's livelihood.The survey found that nearly three-quarters of global industrial companies said they believed they would be exposed to ICS attacks,and 77% listed cyber security as a top priority.Therefore,the study of industrial control network security is of great value to protect industrial control system from network intrusion.On the other hand,the industrial control system almost never stops running,which will produce a lot of multidimensional traffic data.It is necessary to preprocess the data first,and then establish the traffic model according to the traffic characteristics to detect the intrusion behavior.Although domestic researchers have done a lot of research on this,most of them focus on the analysis of system state,protocol and behavior,etc.,and less on the industrial control network traffic model.Therefore,in the field of industrial control security,it is of great research value and practical significance to study and use the industrial control network traffic model to analyze the characteristics of industrial control traffic and help security personnel to carry out industrial control intrusion detection and prevention.Summarized in this paper the difference between the industrial control systems and traditional IT information system,in view of the industrial control system and the commonly used the vulnerability of the Modbus/TCP protocol was analyzed,and the industrial control system from the Angle of the attacker and the security of the IT system is compared,the invasion of industrial control network common attack scenario,then determine the security requirements of industrial control system.Considering the application of neural network in traffic model,this paper designs a novel traffic model based on probabilistic principal component analysis(PPCA)and long short memory network(LSTM)for industrial control intrusion detection after understanding the relevant modeling methods.Intrusion detection traffic model is to predict the next normal traffic by learning the characteristics of historical traffic data,and then compare the predicted results with the actual network traffic to determine whether an intrusion has occurred.Firstly,in view of the existence of symbolic attribute value and continuous variable in the network connection record of industrial control system,data identification,symbolic numerical and normalized operations are carried out on the flow data successively.Then,in view of the complexity of traffic characteristics in network connection records,the probabilistic principal component analysis algorithm was used to reduce the dimension of traffic characteristics,and 13 features with the strongest correlation were extracted from 41 features,and the historical traffic database was established.Finally,the prediction is realized by using the long and short memory network to learn the historical communication characteristics,and then the intrusion is judged by comparing the predicted value with the actual value.Experimental results show that the accuracy of the proposed method is 9.58% higher than that of the LSMM model,and 5.59% higher than that of the LSMM model using principal component analysis,and the running time is also reduced.This indicates that the introduction of probabilistic principal component analysis for feature extraction can well improve the accuracy of the model and reduce the cost of calculation.