面向工业通信行为的异常检测及安全感知方法研究

Due to the growing dependencies of information network technology, industrial control systems are undergoing a severe blow of cyber-attacks, and it is necessary to resolve these security issues by developing adequate and practical information security techniques and theories. From various industrial communication characteristics, the changes of industrial communication behaviors not only represent the basic communication activities of industrial process control and data acquisition, but also reflect the anomalous situations of industrial control systems. In order to effectively detect network attacks in industrial control systems, it is essential to design the corresponding anomaly detection approaches and security awareness theories. Furthermore, combined with network threat ways and attack types in existing industrial control systems, this project proposes the industrial communication behavior classification and vulnerability analysis, and focuses on anomaly detection and security awareness method for different industrial communication behaviors, specifically including: firstly, for the industrial protocol behavior, a measurement mechanism based on longitude and latitude similarities is constructed to achieve anomaly detection; secondly, for the functional control behavior, a double contour model based on “black/white-listing” rules is built to achieve anomaly detection; thirdly, for the technological data behavior, a hidden Markov model based on sequence recognition is designed to achieve anomaly detection; finally, with the above partial researches, a security awareness theory based on multiple behavior association is presented to achieve threat prediction of the whole system. Besides, simulation experiments and numerical analysis can be carried out to complete function and performance evaluations. Research achievements of this project can play a positive role to promote the development and application of network and information security in industrial control areas, and provide important theoretical foundation and technical support for improving the study of security detection and awareness mechanisms in industrial control systems.

工业通信行为变化不仅是工业过程控制与数据采集等通信活动的基本表征，同时也是工业控制系统出现异常的重要反映。为了有效检测工业控制网络的恶意攻击行为，本项目结合现有工业控制系统中网络威胁形式及攻击方式，深入挖掘工业通信行为的特点，在对工业通信行为进行分类和脆弱性分析的基础上，重点研究面向不同工业通信行为的异常检测及安全感知方法与理论，具体包括：建立经纬相似性度量机制，实现工业协议行为的异常检测；构建基于“黑/白名单”规则的双轮廓模型，实现功能控制行为的异常检测；设计序列认知的隐马尔可夫模型，实现工艺数据行为的异常检测；并在上述局部安全检测基础上，提出多元化行为关联的安全感知理论，实现系统整体的威胁预测。最后通过实验数据分析，进行功能与性能评估。研究成果不仅促进网络与信息安全在工业控制领域的发展与应用，同时也为深化和完善工业控制系统的入侵检测与安全感知提供重要理论依据和技术支持。

工业通信行为变化不仅是工业过程控制与数据采集等通信活动的基本表征，同时也是工业控制系统出现异常的重要反映。为了有效检测工业控制网络的恶意攻击行为。本项目结合现有工业控制系统中网络威胁形式及攻击方式，深入挖掘工业 信行为的特点，在对工业通信行为进行分类和脆弱性分析的基础上，重点研究面向不同工业通信行为的异常检测及安全感知方法与理论，主要研究内容包括：工业通信行为的分类及脆弱性研究、入侵检测理论与方法研究、安全态势感知理论与方法研究。.从Modbus TCP、Powerlink工业协议，以及工业通信行为深入分析；工业现场数据获取与分析、公开数据集获取；工业控制系统协议脆弱性模糊测试方法三个方面开展了工业通信行为的分类及脆弱性研究。入侵检测理论与方法方面，提出了一种基于PSO-SVDD的Powerlink工控协议的异常检测方法；基于双轮廓模型的功能控制行为异常检测方法研究；基于序列认知的工艺数据行为异常检测方法研究；基于深度学习的随机森林算法的入侵检测模型；基于SDAE和LSTM相结合的深度学习异常检测方法。在安全态势感知理论与方法方面，分别开展了基于多元化行为关联的系统性安全感知理论、工业控制系统脆弱性量化评估方法、工业控制系统信息安全风险评估方法等研究工作。.在国内外核心期刊及国际学术会议上发表高水平论文32篇，其中SCI或EI检索15篇。申请国家发明专利7项，国际发明专利2项。项目负责人牵头制定并发布相关国家标准1项。获得2018年度辽宁省科学技术成果奖二等奖。项目负责人获得2018年度中国自动化学会杰出自动化工程师称号。.基于本项目研究成果，研发了工控攻击检测系统，并在石化、石油、污水处理等行业中进行了应用验证。