ISSN 1000-1239 CN 11-1777/TP

• 信息安全 •

### 基于信息流和状态流融合的工控系统异常检测算法

1. 1(Beijing Key Laboratory of IoT Information Security (Institute of Information Engineering, Chinese Academy of Sciences), Beijing 100093) 2 (School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049）; 3(School of Computer and Communication Engineering, University of Science and Technology Beijing, Beijing 100083）; 4(China Electric Power Research Institute, Beijing 100192）; 5(Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093)
• 出版日期: 2018-11-01
• 基金资助:
国家重点研发计划项目(2016YFB0800202)；国家自然科学基金项目(U1766215，61702506)；国家电网公司科学技术项目(52110417001B)；中国科学院国防科技创新基金项目(CXJJ-16Z234)

### An Industrial Control System Anomaly Detection Algorithm Fusion by Information Flow and State Flow

Yang An1,2, Hu Yan3, Zhou Liang4, Zheng Weimin2,5, Shi Zhiqiang1,2, Sun Limin1,2

1. 1(物联网信息安全技术北京市重点实验室(中国科学院信息工程研究所) 北京 100093）; 2(中国科学院大学网络空间安全学院 北京 100049）; 3(北京科技大学计算机与通信工程学院 北京 100083）; 4(中国电力科学研究院 北京 100192）; 5(中国科学院信息工程研究所 北京 100093) (yangan@iie.ac.cn)
• Online: 2018-11-01

Abstract: Industrial control system (ICS) has highly correlation with physical environment. As a unique type of ICS attack, sequence attack injects the normal operations into the wrong sequence positions, which disturbs the process or even destroys the equipment. At present, most anomaly detection methods for sequence attack just detect the operation sequence acquiring from information flow. However, ICS is weak in protecting itself from cyber-attacks, which means that the data of information flow can be faked by attackers. The fake data is one of the main issues that can severely affect the detection accuracy. To remedy this problem, a fusion ICS anomaly detection algorithm is proposed in this paper. This algorithm utilizes the state information of equipment to establish the state flow. Via fusing state flow with information flow, the anomaly of operation sequence can be detected from the aspects of time and order. Meanwhile, to extend the detection range and reduce the detection latency, we use the data of state flow to recognize the anomaly state of equipment between two operations, which is caused by the sequence attack or other attacks. The experimental results in an ICS testbed demonstrate that our detection algorithm can detect sequence attack efficiently and recognize part of anomaly state of ICS equipment.