Research On Multi-View Attack And Fault Identification Method Of Industrial Control System Based On Path Reasoning

The application of information technology such as 5G in the industry has caused industrial control system to face frequent network cross-domain attacks.The feature similarity between the fault caused by the attack and the incidental fault of the physical system is too high,which affects the defense decision when the defense system finds anomaly.Attack and fault identification technology obtains anomaly types by analyzing attack and fault data,which is an important component of industrial control system security protection.The information and physical coupling of industrial control systems are tight,and unknown attacks are emerging in an endless stream.In the current research on attack and fault identification,there are some problems such as difficulty in adapting to unknown pattern anomaly and lack of comprehensive consideration of the system.The paper analyzes the demand for identification of attack and fault in industrial control system,and proposes a multi-view attack and fault identification framework based on path reasoning to the diverse problems of unknown attack patterns and the close coupling of information system and physical system in industrial control system.The framework mainly carries out research from the perspective of anomaly root cause analysis and attack intention matching.It breaks the limitation of analyzing data characteristics method to the unknown anomaly pattern,makes comprehensive analysis from multiple perspectives,considers the physical interaction of system information,and identifies the anomaly type.The anomaly root cause analysis method proposed in the paper uses a Bayesian model across cyber-physical domains to mine node causality.Based on the superposition of the child node status from the parent node,the method designs a anomaly path backtracking algorithm.The algorithm starts from the physical domain and uses state observation data and alarm information to infer the abnormal parent node from the bottom up.The algorithm iterates upwards in a graph path search mode to realize the backtracking of the anomaly path,and discover the root cause of the anomaly,and obtain the identification result.The attack intent matching method proposed in the paper uses expert knowledge to quantify node assets and calculates the probability of nodes being attacked under different intents to establish a multi-dimensional attack intent model.Based on the optimization of local probability,the method designs an attack path inference algorithm.The algorithm starts from the information domain and uses alarm information to update the model.Then the algorithm predicts the most probable attack path and feeds back the optimization model to realize the forward reasoning attack path and characterize the attack propagation process under intent.The algorithm finally determines the attack target and obtains the identification result.The framework designs a basic probability distribution function based on evidence theory,and integrates the multi-source identification results at the decision-making level to obtain the final anomaly type.The paper uses the warning information and observation data obtained by the hardware-in-the-loop simulation platform to conduct experiments to train the Bayesian model and the intention model,and uses anomaly root cause analysis method and attack intention matching method for identification.Experiments have proved the rationality of the identification method and the effectiveness of the reasoning algorithm,and the statistical reasoning time consumption illustrates the usability of the method.