Research And Application Of Malicious Behavior Detection In Industrial Control Network

In recent years,the industrial Internet has made great progress under the background of the country's vigorous promotion of new infrastructure,but the integration of industrial control systems and the Internet has also brought more network security risks to the industrial control industry.There are still many deficiencies in the existing industrial control network security protection technologies,such as the low detection accuracy of intrusion detection models for hidden attacks,and the difficulty of high-interaction honeypots to adapt to various industrial control scenarios.This paper designs and implements an industrial control network defense system to solve the above problems.The system is mainly composed of a high-interaction honeypot module and a session flow intrusion detection module.Compared with other high-interaction honeypots,the high-interaction honeypot in this paper can adapt to more industrial control scenarios.The session flow intrusion detection module analyzes the malicious behavior of session flow from different levels of protocol stacks,and adopts a method of model feature adaptation to improve the accuracy of hidden attacks on industrial control.The main work of this paper is as follows:1.Design and implement the session flow intrusion detection module.This module passively monitors the traffic of the network card,parses each Ethernet frame according to the TCP/IP protocol stack model,and extracts the session flow from the data packet through the session flow identifier.This module analyzes the protocol layered model of the session flow,the byte stream data of the industrial control application layer is analyzed by the convolutional neural network model,the network statistical characteristics below the industrial control application layer is analyzed by the traditional machine learning method,and finally the two models are analyzed.The prediction results of the data are integrated to complete the malicious analysis of the session flow.2.Design and implement a high-interaction honeypot module.The honeypot supports the description of PLC execution logic in the ladder diagram language,so that the honeypot can adapt to various industrial control production scenarios.The honeypot logs the attacker's attacks at two levels.The first is the network layer,where the attacker's socket connection information is collected through a network sniffer? the second is the application layer,where the honeypot records the sequence of industrial control instructions sent by the attacker.3.A model detection method based on ”feature adaptive update” has been proposed.The high-interaction honeypot performs feature engineering and automated category labeling of access traffic to generate temporary data set.The temporary data set is used for the training of machine learning model and convolutional neural network model,and then the model of the intrusion detection system is dynamically updated,so that the model can better adapt to the real-time traffic characteristics of the attacker.The experimental results show that this method improves the accuracy of the session flow intrusion detection module for the detection of hidden attacks in industrial control.4.Implemented the plug-in industrial control protocol analysis framework.The parsing rules of industrial control protocols can be dynamically added through plug-ins,the device information can be improved through the parsing content of the protocol,and the visual asset list of the device can be provided.This framework is adapted to the session flow intrusion detection module.