ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2021, Vol. 58 ›› Issue (11): 2333-2349.doi: 10.7544/issn1000-1239.2021.20210598

所属专题: 2021密码学与网络空间安全治理专题

• 信息安全 • 上一篇    下一篇



  1. 1(哈尔滨工业大学(威海)计算机科学与技术学院 山东威海 264209);2(齐鲁工业大学(山东省科学院)山东省计算中心(国家超级计算济南中心)山东省计算机网络重点实验室 济南 250014);3(哈尔滨工业大学网络空间安全研究院 哈尔滨 150001);4(中国信息安全测评中心 北京 100085) (
  • 出版日期: 2021-11-01
  • 基金资助: 
    科技创新2030——“新一代人工智能”重大项目(2020AAA0107700); 国家重点研发计划项目(2018YFE0119700);国家自然科学基金项目(U1836117);山东省优秀青年基金项目(ZR2020YQ06);山东省重点研发计划项目(2019JZZY010132)

Multi-Mode Attack Detection and Evaluation of Abnormal States for Industrial Control Network

Xu Lijuan1,2,3, Wang Bailing1,3, Yang Meihong2, Zhao Dawei2, Han Jideng1,4   

  1. 1(School of Computer Science and Technology, Harbin Institute of Technology, Weihai, Shandong 264209);2(Shandong Provincial Key Laboratory of Computer Networks, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan 250014);3(Technology Research Institute of Cyberspace Security of Harbin Institute, Harbin 150001);4(China Information Technology Security Evaluation Center, Beijing 100085)
  • Online: 2021-11-01
  • Supported by: 
    This work was supported by the National Major Program for Technological Innovation 2030—New Generation Artifical Intelligence (2020AAA0107700), the National Key Research and Development Program of China (2018YFE0119700), the National Natural Science Foundation of China (U1836117), the Shandong Provincial Natural Science Outstanding Youth Foundation (ZR2020YQ06), and the Key Research and Development Program of Shandong Province (2019JZZY010132).

摘要: 面向工控网的攻击策略多种多样,其最终目的是导致系统进入临界状态或危险状态,因此,基于设备状态异常的攻击检测方式相较于其他检测方法更为可靠.然而,状态异常检测中存在攻击结束时刻难以准确界定的问题,构建攻击策略及系统异常状态描述模型,基于此,提出基于状态转移概率图的异常检测方案,实验结果表明该方案能够有效检测多种攻击方式.另外,针对语义攻击对系统状态影响的定量评估难题,提出基于异常特征和损害程度指标融合分析的攻击影响定量评估方法,实现系统所处不同阶段时状态的定量评估与分析.该项工作对于识别攻击意图有重要的理论价值和现实意义.

关键词: 异常检测, 攻击影响评估, 设备状态, 状态转移概率图, 工控网

Abstract: The ultimate intentions of various attack strategies leads the control system to a critical states or dangerous states for industrial control network. As a consequence, the attack detection method based on abnormal device status exceeds any other methods in terms of reliability. Oriented to the difficulty of accurately determining the ending of attack, this paper established the attack strategies model and the abnormal status description model, and then constructed corresponding datasets under a variety of attack strategies, proposed time slice partitioning algorithm based on inflection point fusion and state feature clustering algorithm, finally constructed an anomaly detection scheme based on state transition probability graph. Experimental results indicate that this scheme can effectively detect a variety of attack strategies. In addition, the research on the quantitative evaluation of semantic attack impacting on system states is relatively weaker than any other attack pattern, such as data injection attack, denial of service attack, and man-in the middle attack. In response to the above phenomenon, with results of anomaly detection as the cornerstone, this paper proposed the scheme of quantitative evaluation of attack impact on system states, according to the fusion analysis of abnormal features and threat degree indicators, for the state changes of the system at different stages. This work has important theoretical valuation and practical significance for identifying attack intention.

Key words: anomaly detection, attack impact evaluation, device status, state transition probability graph, industrial control network