Research On Data-driven Intrusion Detection In Industrial Control Systems

Industrial Control Systems(ICSs)are in the core control position in industrial production.ICS is gradually developing towards openness,interconnection and universality,and its integration with the enterprise network and even the Internet is deepening.Traditional information security threats inevitably spread to the field of industrial control.In recent years,network attacks against ICS have caused great damage to nuclear facilities and key infrastructure in some countries.Malicious intrusions have seriously threatened national security and public security,and the need for ICS security is increasingly urgent.Intrusion Detection Systems(IDSs)can monitor network activities and effectively generate alerts of potential or attempted intrusions.Intrusion detection is an important technical means to ensure the security of ICS,and an important part of the in-depth defense strategy of communication network.IDS has been widely studied in traditional network security,but there are still some problems to be solved in the work of intrusion detection system for ICS:(1)The number of public industrial control security data sets supporting IDS research is limited,the proportion of physical process information data sets is not high,the data types are not comprehensive,and the positive and negative samples are not balanced;(2)The misuse based intrusion detection method does not have the ability to detect unknown attacks.The anomaly based intrusion detection method has strong dependence on experts and is difficult to model;(3)The number of intrusion detection systems deployed online is limited.In response to the above problems,this paper first establishes an industrial control security data set,which contains seven types of attacks,supporting IDS modeling,testing and evaluation.Secondly,four intrusion detection models based on machine learning are established,which can effectively detect intrusion and alarm.Finally,a variety of intrusion detection methods are integrated into an online detection system,which has high detection rate,fast detection speed and good detection performance against unknown attacks.The specific research contents of this paper are as follows:1.In order to solve the problem that there are few open ICS security data sets that can support IDS research,this paper establishes an ethanol distillation system(EDS)security data set.The dataset contains 41 different attack vectors,which implement attacks from the information side and affect network communication,data privacy,system operation and other aspects,covering different attack stages such as access to the network,analysis of communication,establishment of information physical mapping,and direct contact.The data is collected on the real test bench and contains the network communication data package and the physical information of the system operation.The difference between the number of positive and negative samples is small.2.In order to solve the problems of difficult modeling of ICS intrusion detection system and difficult detection of unknown attacks,this paper establishes a machine learning intrusion detection model.Based on the analysis of the physical information characteristics of the ICS system,this paper analyzes the similarity of intrusion detection and classification problems,and develops a machine learning intrusion detection scheme based on multiple binary classification methods such as tree model,ensemble learning,support vector machines(SVM),neural network,etc.This scheme does not need expert knowledge,automatically extracts features and assigns weights,and establishes detection models.The experiment shows that the feature extracted by this scheme is highly coincident with the parameters directly attacked,and the attack detection rate affecting physical data is close to 100%,which can meet the needs of ICS intrusion detection.3.This paper integrates multiple intrusion detection models and builds a real-time detection system.The system passively obtains the communication data packet between the upper computer and the programmable logic controllers(PLCs),automatically parses the data packet,and then carries out intrusion detection through the detection sub-module.The final result is generated by the voting of the sub-module.Among them,the detection sub-module is a machine learning intrusion detection model through training and detection.The experiment shows that as a real-time detection system,the system has short import time,fast detection speed,small detection delay,good detection performance for unknown attacks,and no obvious impact on the communication efficiency and control process of the control system after deployment.