关键词: 工业控制系统, 入侵检测系统, 流量检测, 协议检测, 设备状态检测

Abstract: In recent decades, with the introduction of Ethernet and the more close connection with external network, an increasingly larger number of vulnerabilities have been found in the industrial control system (ICS), exposing its serious security problem. These security issues cannot be handled completely due to the variety of the vulnerability. Therefore, we must construct the defense-in-depth system for ICS. In particular, the intrusion detection system (IDS) is one of the most important parts in the defense-in-depth system of ICS. The IDS is able to discover the potential intrusion by misuse detection and anomaly detection. In this survey, we analyze the architecture and characteristics of ICS and provide the detailed descriptions of the security concept of ICS. Then, according to the characteristics of ICS, we put forward a clear requirement of ICS IDS and elaborate its connotation. Moreover, we categorize the existing IDS methods based on the detection strategy, including traffic detection, protocol detection and equipment state detection. In each category, we analyze the detection technique and discuss the detection algorithm. Finally, for future work, from the perspective of the disadvantages of current solutions and the constraints for ICS applications, we summarize some research trends of ICS IDS from the aspects of performance metric, detection technique and detection architecture.

Key words: industrial control system (ICS), intrusion detection system (IDS), traffic detection, protocol detection, equipment state detection