Research And Implementation Of Key Technologies For Border Mimic Protection Of Industrial Network

Industrial control systems(ICS)widely adopt network border protection technology for their security.However,the vulnerabilities generated during its development cannot be avoided.The similarity and static characteristics caused by large-scale,long-term industrial deployment determine that it is difficult to deal with unknown Advanced Persistent Threat(APT)threats,converge the defense gain and quantify the malicious degree of the attack.Therefore,it is of great significance to study how to make defense gain of industrial network border protection equipment converge to a higher level and quantify the malicious degree of different attacks.In this thesis,a border protection defense model based on endogenous security is proposed for the problem of vulnerability and backdoor threat of industrial network border protection equipment;an industrial network border filter method based on endogenous security is proposed for the problem that the defense gain cannot converge due to static defense or the simple attack surface transformation of moving target defense;a decision algorithm and a scheduling algorithm are proposed to adjust executors' credibility according to the normalized executor output difference distance for the problem that the existing decision algorithm and scheduling algorithm are difficult to distinguish the malicious degree of each attack.The main research contents and innovations are as follows:1.For the problem of backdoors and vulnerabilities of border protection equipment in an industrial network,based on endogenous security,an industrial network filter model and an industrial data anomaly detection model are proposed.Firstly,the threat model of border protection equipment is established according to the hierarchy of industrial networks,and the characteristics of protection equipment that the attack depends on are obtained.Then,according to the work characteristics,the filter technology and data anomaly detection technology in the industrial network border protection are combined with the endogenous security respectively to build protection models.Finally,the security of the protection models is analyzed from the perspective of the equivalent attack surface,defense gain,and attack chain.The results show that the defense models proposed in this thesis can improve the security of industrial network border protection.2.For the problem that the defense gain of industrial network border filter equipment cannot converge,an industrial network border filter method based on endogenous security is proposed.The static defense of the traditional industrial network border protection and the simple random attack surface transformation of the moving target defense make the defense gain fail to converge.Therefore,this thesis constructed a mimic domain with four heterogeneous filter executors based on mimic defense and made executors process the same external inputs simultaneously.The voting results are carried out based on large number selection and dynamic weight.By comparing the processing results of each executor,the executor detected as abnormal is replaced and cleaned offline with the dynamic scheduling mechanism.It can effectively alleviate the non-convergence of defense gain caused by the static defense and simple random transformation.An analysis of its anti-attack ability shows that the greater the degree of heterogeneity,the greater the number of heterogeneous actors,and the faster the defense gain will converge.3.For the problem that the existing multi executor decision algorithm and scheduling algorithm are difficult to distinguish the malicious degree of attack behavior,a false data injection detection method with a decision algorithm and scheduling algorithm based on normalized output distance feedback are proposed.With the anomaly detection of power system state estimation as the application scenario,this thesis proposes a decision algorithm to adjust executors' credibility according to the normalized executor output difference distance,and a scheduling algorithm to construct a revenue function based on runtime,credibility,and switching overhead,which can effectively improve the defense capability of industrial network protection equipment.Simulation results show that the proposed method can reduce the average failure rate of the system by 43.80%when the system switch overhead is reduced by at least 3.22%.