Industrial control system-oriented intrusion detection rule matching optimization method

Abstract

An industrial control system-oriented intrusion detection rule matching optimization method comprises the steps of arranging information such as IP, ports, vulnerabilities and security configuration of industrial control system assets, selecting a plurality of feature attributes from rule heads and rule options of matching rules, setting a clustering center to be 3, dividing rules in a rule base into three levels by adopting a mean value clustering algorithm, calculating threat values after rule matching succeeds according to the rule header feature data, the vulnerability score, the configuration vulnerability score and the threat score of the rule action, and sorting in the hierarchical cluster according to the threat values; and when intrusion detection is carried out on a data packet, after feature information of the data packet is extracted, matching the feature information with a rule according to grading and sorting. According to the method, the rules in the rule base can be graded and sorted according to real threats faced by the industrial control system, the rules corresponding to harassment attacks are matched and deduced, the problem of low detection efficiency caused by a large number of rules is solved, and the detection efficiency is improved.

Description

technical field [0001] The invention relates to the technical field of industrial control security detection, in particular to an industrial control system-oriented intrusion detection rule matching optimization method. Background technique [0002] In order to ensure the security of industrial production networks, intrusion detection equipment is generally equipped in industrial control systems. The existing mainstream technologies include misuse detection and anomaly detection. For equipment using misuse detection technology, due to the lack of in-depth understanding of the actual industrial production environment, in order to ensure the completeness of the matching rules, a large number of detection rules are reserved in the rule base, and there are even many invalid rules. During the use of the system, the security operation and maintenance personnel will add a lot of detection rules to the device according to the on-site conditions. When the intrusion detection device u...

AI Technical Summary

Problems solved by technology

For equipment using misuse detection technology, due to the lack of in-depth understanding of the actual industrial production environment, in order to ensure the completeness of the matching rules, a large number of detection rules are reserved in the rule base, and there are even many invalid rules. During the use of the system, the security operation and maintenance personnel will add a lot of detection rules to the device according to the on-site conditions. When the intrusion detection device uses the traversal method to detect the data packets, the matching efficiency is low, which leads to real damage to production. When the affected network is intruded, the detection is not timely enough

[0003]In actual industrial production sites, industrial control systems often face tentative and harassing attacks. Although intrusion detection detection also needs to detect such attacks, it can be inferred Finally, the detection rules corresponding to the attacks that can actually cause damage should be advanced. How to classify and sort the rules in the rule base according to the vulnerabilities of industrial control system assets and security configuration vulnerabilities is to improve the pertinence of detection. The key to timeliness; at the same time, because the number of rules is huge and constantly changing, it is not realistic to rely on manual classification and sorting

Images