Research On Anomaly Identification Method Of Power Industrial Control Network Based On Network Traffic Characteristics

In recent years,with the rapid development of software and hardware technology,the number of networked control equipment and data exchange equipment for power industrial control systems has been increasing,making data access more diverse and flexible.As technology advances,the power industrial control network benefits from ease of operation,but the gradual opening of the connection to the outside world is also increasing its risk of attack.The network security of the power industrial control system is related to the normal operation of the entire power system.A secure and reliable network environment safeguards the quality of power supply,reduces accidents and avoids unnecessary losses to companies and users.Due to the uniqueness of power industrial control systems,scholars at home and abroad are striving to explore and develop anomaly identification techniques.There are a number of problems with the current anomaly identification techniques for power industrial control networks.Because of the private protocols and complex network environment in power industrial control systems,the generalizability of the anomaly identification method is low,which leads to the proposed identification method only for a specific network environment,making it difficult to achieve simple generalization.Current research on anomaly traffic in power industrial control networks is mainly focused on the detection of anomaly traffic,but there is a lack of in-depth exploration and research on the anomaly data itself,so there is little knowledge of the anomalies that occur in the network and no standardized process for analyzing anomaly traffic.This thesis focuses on the identification of anomaly traffic in power industrial control networks based on traffic characteristics through three aspects:detection,characterization and classification.The main work of this thesis is as follows:(1)Anomaly detection is achieved by structuring a behavioral baseline of normal business traffic.The detection of anomaly traffic is completed by extracting the interactive behavioral features of the traffic in the form of bi-directional data streams and then using convolutional autoencoders to fit the characteristics of normal businesses in power industrial control networks and form a behavioral baseline.(2)The characteristics of anomaly traffic are extracted from two aspects,which are statistical characteristics and sequential characteristics of network traffic,to further analyze the detected anomalies.A profile of anomaly traffic is structured as a way to characterize the anomaly traffic.In this thesis,the statistical and sequential characteristics of anomaly traffic are extracted.First,the behavioral characteristics of the anomaly traffic itself and the key vectors encoded by the baseline model are combined to form the feature vector of the anomaly traffic.Second,the anomaly traffic is modeled as a state machine using a Hidden Markov Model to extract the features of the anomaly traffic in terms of temporal sequence.(3)On the basis of anomaly detection and characterization,statistical and temporal characteristics of anomalous traffic are used to classify anomalous data,respectively.The purpose of anomaly identification is to help troubleshoot and deal with anomaly traffic in the network,and it is beneficial to increase the understanding of anomalies by obtaining specific types through classification.In this thesis,the classification model using statistical features as feature vectors not only classifies known types of anomalous traffic,but also takes into account the identification of unknown types of anomalies;the classification method using Hidden Markov Models has certain limitations and can only achieve accurate identification of known types of data.