ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2016, Vol. 53 ›› Issue (9): 2039-2054.doi: 10.7544/issn1000-1239.2016.20150465

• 信息安全 • 上一篇    下一篇



  1. 1(物联网信息安全技术北京市重点实验室(中国科学院信息工程研究所) 北京 100093); 2(中国科学院大学 北京 100049) (
  • 出版日期: 2016-09-01
  • 基金资助: 

Intrusion Detection Techniques for Industrial Control Systems

Yang An1,2, Sun Limin1, Wang Xiaoshan1,2, Shi Zhiqiang1   

  1. 1(Key Laboratory of IOT Information Security Technology(Institute of Information Engineering,Chinese Academy of Sciences), Beijing 100093);2(University of Chinese Academy of Sciences, Beijing 100049)
  • Online: 2016-09-01

摘要: 随着工业控制系统(industrial control systems, ICS)的逐渐开放,暴露出严重的脆弱性问题.入侵检测作为重要的安全防御措施,根据误用和行为检测,可及时发现可能或潜在的入侵行为.首先,介绍了ICS的系统架构及特性,并对ICS的安全理念进行阐释;其次,依据ICS的特性,给出了对工业控制入侵检测系统(intrusion detection system, IDS)(简写为ICS IDS)的需求和解释;再次,基于检测对象角度,从流量检测、协议检测、设备状态检测3个方面,对现有的ICS IDS技术、算法进行了分类及详细的分析;最后,从检测性能指标、检测技术、检测架构3个方面,对整个ICS IDS的研究趋势进行了展望.

关键词: 工业控制系统, 入侵检测系统, 流量检测, 协议检测, 设备状态检测

Abstract: In recent decades, with the introduction of Ethernet and the more close connection with external network, an increasingly larger number of vulnerabilities have been found in the industrial control system (ICS), exposing its serious security problem. These security issues cannot be handled completely due to the variety of the vulnerability. Therefore, we must construct the defense-in-depth system for ICS. In particular, the intrusion detection system (IDS) is one of the most important parts in the defense-in-depth system of ICS. The IDS is able to discover the potential intrusion by misuse detection and anomaly detection. In this survey, we analyze the architecture and characteristics of ICS and provide the detailed descriptions of the security concept of ICS. Then, according to the characteristics of ICS, we put forward a clear requirement of ICS IDS and elaborate its connotation. Moreover, we categorize the existing IDS methods based on the detection strategy, including traffic detection, protocol detection and equipment state detection. In each category, we analyze the detection technique and discuss the detection algorithm. Finally, for future work, from the perspective of the disadvantages of current solutions and the constraints for ICS applications, we summarize some research trends of ICS IDS from the aspects of performance metric, detection technique and detection architecture.

Key words: industrial control system (ICS), intrusion detection system (IDS), traffic detection, protocol detection, equipment state detection