基于信息流和状态流融合的工控系统异常检测算法  被引量：7

作　　者：杨安[1,2] 胡堰 周亮 郑为民[2,5] 石志强 孙利民[1,2] Yang An;Hu Yan;Zhou Liang;Zheng Weimin;Shi Zhiqiang;Sun Limin(Beijing Key Laboratory of IoT Information Security(Institute of Information Engineering,Chinese Academy of Sciences),Beijing 100093;School of Cyber Security,University of Chinese Academy of Sciences,Beijing 100049;School of Computer and Communication Engineering,University of Science and Technology Beijing,Beijing 100083;China Electric Power Research Institute,Beijing 100192;Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093)

机构地区：[1]物联网信息安全技术北京市重点实验室(中国科学院信息工程研究所),北京100093 [2]中国科学院大学网络空间安全学院,北京100049 [3]北京科技大学计算机与通信工程学院,北京100083 [4]中国电力科学研究院,北京100192 [5]中国科学院信息工程研究所,北京100093

出　　处：《计算机研究与发展》2018年第11期2532-2542,共11页Journal of Computer Research and Development

基　　金：国家重点研发计划项目(2016YFB0800202);国家自然科学基金项目(U1766215;61702506);国家电网公司科学技术项目(52110417001B);中国科学院国防科技创新基金项目(CXJJ-16Z234)~~

摘　　要：由于工业控制系统(industrial control system,ICS)与物理环境紧密联系,其特有的序列攻击可通过将合法的操作注入到操作序列中的不合理位置上,迫使ICS进入异常状态,损毁设备,甚至破坏生态环境.目前,针对序列攻击检测的研究基本上是从信息流中提取操作序列进行检测,易受错误、虚假数据等情况的影响,导致检测精度受到限制.针对该问题,充分考虑ICS的操作与物理环境的相互依赖性,提出一种双流融合的工业控制异常检测机制,从物理环境中实时提取工业控制设备的状态信息组成设备状态流,并将其与信息流相融合,从操作次序和时序2个维度检测操作序列是否正常.同时利用设备状态流信息识别操作间隔中的工业控制设备的异常状态,提升异常检测范围和对操作时序异常的检测精度.实验结果表明:该方法能有效地识别序列攻击和部分工业控制设备的异常状态.Industrial control system(ICS)has highly correlation with physical environment.As a unique type of ICS attack,sequence attack injects the normal operations into the wrong sequence positions,which disturbs the process or even destroys the equipment.At present,most anomaly detection methods for sequence attack just detect the operation sequence acquiring from information flow.However,ICS is weak in protecting itself from cyber-attacks,which means that the data of information flow can be faked by attackers.The fake data is one of the main issues that can severely affect the detection accuracy.To remedy this problem,a fusion ICS anomaly detection algorithm is proposed in this paper.This algorithm utilizes the state information of equipment to establish the state flow.Via fusing state flow with information flow,the anomaly of operation sequence can be detected from the aspects of time and order.Meanwhile,to extend the detection range and reduce the detection latency,we use the data of state flow to recognize the anomaly state of equipment between two operations,which is caused by the sequence attack or other attacks.The experimental results in an ICS testbed demonstrate that our detection algorithm can detect sequence attack efficiently and recognize part of anomaly state of ICS equipment.

关 键 词：工业控制系统 序列攻击 异常检测 设备状态流 信息流 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]