Abnormality detecting method based on industrial control system network traffic

Abstract

The invention relates to an abnormality detecting method based on industrial control system network traffic and belongs to the field of information security. The industrial control system network traffic is collected, by analyzing the traffic features, the fact that normal traffic and abnormal traffic samples are evidently different in terms of power spectral density is discovered when a digital signal processing method is used to convert traffic signals from a time domain to a frequency domain, a low-frequency power sum critical value is found by analyzing the difference features in a large amount of historical data, if the low-frequency power of a to-be-detected sample is larger than the critical value, the sample traffic is taken as the abnormal traffic. The method includes a data preprocessing module, a traffic modeling module and an abnormality detecting module, wherein the data preprocessing module is used for processing early data traffic, the traffic modeling module is used for building normal models and abnormal models according toe low-frequency power and distribution of normal traffic and abnormal traffic, and the low-frequency power sum critical valve can be calculated. The abnormality detecting module is used for detecting abnormality. The false alarm rate of the method is 6.1% and the alarm missing rate of the method is 9.3%.

Description

Technical field: [0001] The invention relates to an abnormal detection method of network flow of an industrial control system. It belongs to the field of information security. Background technique: [0002] With the rapid development and wide application of computer and Internet technology, the security of computer network systems has been seriously challenged, especially the security threats to industrial control systems are gradually increasing. The industrial control system is an important part of the national security strategy. About 90% of the critical infrastructure involving the people needs to rely on the industrial control system to realize the automation. The emergence of the "Stuxnet" virus in 2010 ushered in a new era for cyber attacks on industrial control systems. Although it exploits vulnerabilities in the Microsoft Windows operating system, it can spread widely on the Internet like traditional worms, but it is not for the purpose of obtaining user data or m...

AI Technical Summary

Problems solved by technology

[0003] Although the research on the security of industrial control systems has a history of more than 30 years, since the network security technology from the traditional Internet cannot be simply transplanted to the industrial control network, no breakthrough has been made so far. Anomaly detection is also still in the early stages of research

[0004] The existing industrial network anomaly detection methods at home and abroad mainly include anomaly detection based on autoregressive process, anomaly detection based on hidden Markov model, anomaly detection based on neural network, etc., but these methods basically follow the traditional Ethernet scheme , the effect of anomaly detection on industrial network traffic is not obvious

Industrial control systems are generally applicable to industries such as energy, electric power, chemical industry, transportation, and manufacturing. The characteristics of traffic in industrial control systems are different from those of traditional Ethernet. Therefore, it is difficult to directly apply traditional Ethernet solutions to meet the current requirements. Security Requirements for Industrial Networks

Images