ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2018, Vol. 55 ›› Issue (11): 2532-2542.doi: 10.7544/issn1000-1239.2018.20170671

Previous Articles     Next Articles

An Industrial Control System Anomaly Detection Algorithm Fusion by Information Flow and State Flow

Yang An1,2, Hu Yan3, Zhou Liang4, Zheng Weimin2,5, Shi Zhiqiang1,2, Sun Limin1,2   

  1. 1(物联网信息安全技术北京市重点实验室(中国科学院信息工程研究所) 北京 100093); 2(中国科学院大学网络空间安全学院 北京 100049); 3(北京科技大学计算机与通信工程学院 北京 100083); 4(中国电力科学研究院 北京 100192); 5(中国科学院信息工程研究所 北京 100093) (yangan@iie.ac.cn)
  • Online:2018-11-01

Abstract: Industrial control system (ICS) has highly correlation with physical environment. As a unique type of ICS attack, sequence attack injects the normal operations into the wrong sequence positions, which disturbs the process or even destroys the equipment. At present, most anomaly detection methods for sequence attack just detect the operation sequence acquiring from information flow. However, ICS is weak in protecting itself from cyber-attacks, which means that the data of information flow can be faked by attackers. The fake data is one of the main issues that can severely affect the detection accuracy. To remedy this problem, a fusion ICS anomaly detection algorithm is proposed in this paper. This algorithm utilizes the state information of equipment to establish the state flow. Via fusing state flow with information flow, the anomaly of operation sequence can be detected from the aspects of time and order. Meanwhile, to extend the detection range and reduce the detection latency, we use the data of state flow to recognize the anomaly state of equipment between two operations, which is caused by the sequence attack or other attacks. The experimental results in an ICS testbed demonstrate that our detection algorithm can detect sequence attack efficiently and recognize part of anomaly state of ICS equipment.

Key words: industrial control system (ICS), sequence attack, anomaly detection, state flow, infor-mation flow

CLC Number: