ISSN 1000-1239 CN 11-1777/TP

Journal of Computer Research and Development ›› 2021, Vol. 58 ›› Issue (11): 2333-2349.doi: 10.7544/issn1000-1239.2021.20210598

Special Issue: 2021密码学与网络空间安全治理专题

Previous Articles     Next Articles

Multi-Mode Attack Detection and Evaluation of Abnormal States for Industrial Control Network

Xu Lijuan1,2,3, Wang Bailing1,3, Yang Meihong2, Zhao Dawei2, Han Jideng1,4   

  1. 1(School of Computer Science and Technology, Harbin Institute of Technology, Weihai, Shandong 264209);2(Shandong Provincial Key Laboratory of Computer Networks, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan 250014);3(Technology Research Institute of Cyberspace Security of Harbin Institute, Harbin 150001);4(China Information Technology Security Evaluation Center, Beijing 100085)
  • Online:2021-11-01
  • Supported by: 
    This work was supported by the National Major Program for Technological Innovation 2030—New Generation Artifical Intelligence (2020AAA0107700), the National Key Research and Development Program of China (2018YFE0119700), the National Natural Science Foundation of China (U1836117), the Shandong Provincial Natural Science Outstanding Youth Foundation (ZR2020YQ06), and the Key Research and Development Program of Shandong Province (2019JZZY010132).

Abstract: The ultimate intentions of various attack strategies leads the control system to a critical states or dangerous states for industrial control network. As a consequence, the attack detection method based on abnormal device status exceeds any other methods in terms of reliability. Oriented to the difficulty of accurately determining the ending of attack, this paper established the attack strategies model and the abnormal status description model, and then constructed corresponding datasets under a variety of attack strategies, proposed time slice partitioning algorithm based on inflection point fusion and state feature clustering algorithm, finally constructed an anomaly detection scheme based on state transition probability graph. Experimental results indicate that this scheme can effectively detect a variety of attack strategies. In addition, the research on the quantitative evaluation of semantic attack impacting on system states is relatively weaker than any other attack pattern, such as data injection attack, denial of service attack, and man-in the middle attack. In response to the above phenomenon, with results of anomaly detection as the cornerstone, this paper proposed the scheme of quantitative evaluation of attack impact on system states, according to the fusion analysis of abnormal features and threat degree indicators, for the state changes of the system at different stages. This work has important theoretical valuation and practical significance for identifying attack intention.

Key words: anomaly detection, attack impact evaluation, device status, state transition probability graph, industrial control network

CLC Number: