An industrial control network anomaly detection method and device

Abstract

The embodiment of the invention provides an industrial control network abnormity detection method and device, and the method comprises the steps: automatically generating a security baseline in a certain time period based on an unsupervised baseline learning method, and carrying out the warning of an abnormal data frame or a data frame sequence; And when the security baseline is generated in the new time period, analyzing the change trend of the historical security baseline sequence in the preset time period, and predicting and alarming the potential security threat according to a trend analysis result. According to the embodiment, the abnormal detection of the industrial control network is realized; manual adjustment and confirmation after the network security baseline is generated basedon supervised learning in advance are not needed; the network security baseline is automatically generated according to the continuously obtained network traffic, the potential threat that the baseline sequence gradually deviates from the normal value can be found by analyzing the trend of the historical baseline sequence, and the method reduces the operation complexity of generating the industrial control security baseline and improves the stability of the security baseline.

Description

technical field [0001] Embodiments of the present invention relate to the technical field of industrial network security, and in particular, to a method and device for detecting abnormality in an industrial control network. Background technique [0002] With the rapid development of information technology, industrial control network is facing more and more risks. [0003] Currently, some anomaly detection methods for industrial control networks are disclosed in the prior art. Among them, some methods belong to the detection method of the defect category, and cannot effectively predict or take active defense measures before the occurrence of network anomalies; some methods detect network anomalies from the dimensions of network speed, bandwidth, and corresponding time periods, and do not pay attention to The content of communication data and communication details in the network; some methods describe the judgment method of abnormal traffic from the perspective of algorithm, ...

AI Technical Summary

Problems solved by technology

Among them, some methods belong to the detection method of the defect category, and cannot effectively predict or take active defense measures before the occurrence of network anomalies; some methods detect network anomalies from the dimensions of network speed, bandwidth, and corresponding time periods, and do not pay attention to The content of communication data and communication details in the network; some methods describe the judgment method of abnormal traffic from the perspective of algorithm, but in the application scenario of protecting industrial control network security, it is necessary to set the feature value and rule engine in advance before abnormal detection, extract The eigenvalues ​​and the set rule engine’s evaluation criteria for the results depend on certain experiences. The application process of the method is relatively complicated, requiring repeated debugging of the parameters, and the final result is limited by the traffic obtained during the debugging process; some methods capture, identify , Analyze industrial network data, and conduct data analysis according to industrial protocol behavior and industrial behavior model library, so as to determine whether there is anomaly in industrial traffic. The disadvantage of this method is that there is no clear standard for the construction of industrial behavior model library, only It is mentioned that the application of intelligent methods including association mining, sequence mining, classification, and clustering algorithms cannot deal with the gradual abnormal trend of protocol behavior or device response values ​​over time, and does not consider the malformed packets encountered during the protocol in-depth analysis process Some methods are industrial control network anomaly detection methods (network whitelist) that form a security baseline through traffic self-learning. Although this method has strong adaptability and flexibility, in actual use, the length of time to open the learning mode There is no clear standard, and the learning results have a strong dependence on the traffic captured during the learning period. The implementation process is complex and takes a long time. The adjustment of the security baseline depends to a certain extent on the operator's industrial control security experience

Some methods have efficient protection effects on the IEC60870-5-104 protocol in the power field, but have certain limitations and cannot protect more industrial application sites based on industrial protocols such as Modbus, S7COMM, and ENIP / CIP

Images