高级检索

    基于信息流和状态流融合的工控系统异常检测算法

    An Industrial Control System Anomaly Detection Algorithm Fusion by Information Flow and State Flow

    • 摘要: 由于工业控制系统(industrial control system, ICS)与物理环境紧密联系,其特有的序列攻击可通过将合法的操作注入到操作序列中的不合理位置上,迫使ICS进入异常状态,损毁设备,甚至破坏生态环境.目前,针对序列攻击检测的研究基本上是从信息流中提取操作序列进行检测,易受错误、虚假数据等情况的影响,导致检测精度受到限制.针对该问题,充分考虑ICS的操作与物理环境的相互依赖性,提出一种双流融合的工业控制异常检测机制,从物理环境中实时提取工业控制设备的状态信息组成设备状态流,并将其与信息流相融合,从操作次序和时序2个维度检测操作序列是否正常.同时利用设备状态流信息识别操作间隔中的工业控制设备的异常状态,提升异常检测范围和对操作时序异常的检测精度.实验结果表明:该方法能有效地识别序列攻击和部分工业控制设备的异常状态.

       

      Abstract: Industrial control system (ICS) has highly correlation with physical environment. As a unique type of ICS attack, sequence attack injects the normal operations into the wrong sequence positions, which disturbs the process or even destroys the equipment. At present, most anomaly detection methods for sequence attack just detect the operation sequence acquiring from information flow. However, ICS is weak in protecting itself from cyber-attacks, which means that the data of information flow can be faked by attackers. The fake data is one of the main issues that can severely affect the detection accuracy. To remedy this problem, a fusion ICS anomaly detection algorithm is proposed in this paper. This algorithm utilizes the state information of equipment to establish the state flow. Via fusing state flow with information flow, the anomaly of operation sequence can be detected from the aspects of time and order. Meanwhile, to extend the detection range and reduce the detection latency, we use the data of state flow to recognize the anomaly state of equipment between two operations, which is caused by the sequence attack or other attacks. The experimental results in an ICS testbed demonstrate that our detection algorithm can detect sequence attack efficiently and recognize part of anomaly state of ICS equipment.

       

    /

    返回文章
    返回