A depth packet detection platform based on industrial SCADA system

Abstract

The invention discloses a depth packet detection platform based on an industrial SCADA system. The detection platform can be used for detecting the system state by means of Modbus / Tcp and IEC 60870-5-104 protocol which are commonly used in a power system. The detection platform includes four parts: an industrial SCADA system simulation platform, a depth packet analysis module, an abnormity detection module and an intrusion module. Based on the typical interactive mode of periodic polling in SCADA system, the detection platform simulates the normal network data flow in power system, and simulates the abnormal state of the system and the corresponding network data flow by protocol vulnerability analysis and message variation. Feature analysis and extraction of the message field information,through the machine learning method to build a system state model, to achieve the integrity of the system state, in-depth detection.

Description

technical field [0001] The present invention relates to the field of industrial control systems, in particular to protocol analysis and anomaly detection in the communication environment of industrial SCADA systems, constructing positive / abnormal data sets based on protocol formats and vulnerabilities, and detecting system states through machine learning methods platform. Background technique [0002] The industrial control system is composed of various automation control components and process control components for collecting and monitoring real-time data. It is a business process control system that ensures the automatic operation, process control and monitoring of industrial technical facilities. Its core components include data collection and Monitoring system (SCADA), distributed control system (DCS), programmable logic controller (PLC), remote terminal (RTU), intelligent electronic device (IED) and the interface technology to ensure the communication of each component,...

AI Technical Summary

Problems solved by technology

The deep packet inspection methods currently used in most research work have high requirements for the application target scene and protocol environment. A small number of commonly used fields are analyzed on the network data stream or the existing field information is directly used as the data set. The information is directly used as the characteristics of the network data flow to establish a system state model, which lacks a complete feature analysis and extraction of the information contained in the network data flow, and can only have a relatively ideal effect when the abnormal behavior involves commonly used fields.

In addition, most of the existing research work modifies and destroys the system state through several known common attacks, and constructs corresponding data sets. There is almost no work that can well simulate various abnormal states that may occur in the field scene, and the detection effect has certain limitations

Images