面向工业网络流量的实时入侵检测方法  

作　　者：连莲 王文诚 宗学军 何戡[1,2] LIAN Lian;WANG Wencheng;ZONG Xuejun;HE Kan(College of Information Engineering,Shenyang University of Chemical Technology,Shenyang 110142,Liaoning,China;Key Laboratory of Information Security for Petrochemical Industry in Liaoning Province,Shenyang University of Chemical Technology,Shenyang 110142,Liaoning,China)

机构地区：[1]沈阳化工大学信息工程学院,辽宁沈阳110142 [2]沈阳化工大学辽宁省石油化工行业信息安全重点实验室,辽宁沈阳110142

出　　处：《沈阳工业大学学报》2025年第1期98-105,共8页Journal of Shenyang University of Technology

基　　金：辽宁省“兴辽英才计划”项目(XLYC2002085);中央引导地方科技发展基金项目(辽科发规[20.23]7号-36)。

摘　　要：【目的】工业互联网是国家关键基础设施的重要组成部分,其安全性直接关系到国家安全、经济稳定和社会秩序。随着工业互联网的广泛应用,工业控制系统的网络攻击频发,造成了严重的经济损失和社会影响,因此,开发高效的实时入侵检测系统显得尤为重要。传统的入侵检测系统在处理高维度网络流量数据时,往往难以有效区分正常流量和异常流量,尤其是在缺乏异常流量样本的情况下。【方法】为了解决该问题,本研究通过分析某油气集输管线工业控制系统真实网络流量特性,提出了一种结合Suricata的滑动窗口密度聚类工业网络实时异常检测方法。该方法针对工业网络流量特性,利用Suricata的开源性、可扩展性以及滑动窗密度聚类算法的动态检测能力,建立从流量采集解析到实时入侵检测的全过程入侵检测模型。本研究通过分析真实工业控制系统环境中的网络流量特性发现工业网络流量存在一定的周期性,利用基尼系数选取能体现工业网络流量特性混杂程度的特征,实现对工业网络流量降维处理,对降维后的数据使用滑动窗口分组构建工业网络正常流量特征阈值。利用改写Suricata实现实时流量采集与解析,并将实时解析结果输入到所构建的滑动窗口密度聚类入侵检测算法中,通过与工业网络正常流量特征阈值进行对比,快速筛选绝对正常流量组和绝对异常流量组。针对正常流量与异常流量掺杂的组别,通过密度聚类算法将异常流量分离,完成异常流量检测。【结果】将入侵检测方法在油气集输全流程工业场景攻防靶场中应用并开展大量实验,该方法能够有效识别异常流量,检测率达到96%以上,误报率低于3%。所提出的方法可以满足工业网络中异常流量检测高效性、可靠性和实时性需求。【结论】本研究的创新之处在于提供了一种新的工业网络异常流量�[Objective]Industrial Internet is an important part of the national key infrastructure,and its security is directly related to national security,economic stability,and social order.In recent years,with the widespread application of industrial Internet,network attacks targeting industrial control systems have occurred frequently,causing serious economic losses and social impact.Therefore,it is particularly important to develop efficient real-time intrusion detection systems.Traditional intrusion detection systems often fail to effectively distinguish between normal traffic and abnormal traffic when processing high-dimensional network traffic data,especially in the absence of abnormal traffic samples.[Methods]To solve this problem,this study proposed a real-time anomaly detection method for industrial networks which combined Suricata and density clustering based on a sliding window through analyzing the real network traffic characteristics of an oil and gas pipeline industrial control system.This method utilized the open-source and extensible nature of Suricata and the dynamic detection capability of the density clustering algorithm based on a sliding window to establish a full-process intrusion detection model from traffic collection and analysis to real-time intrusion detection.Through analyzing the network traffic characteristics in the real industrial control system environment,this study finds that industrial network traffic has a certain periodicity.By using the GINI coefficient to select features that can reflect the heterogeneity of industrial network traffic characteristics,the present study realizes dimensionality reduction of industrial network traffic.The reduced-dimensional data were grouped using a sliding window to construct the threshold of normal traffic characteristics in industrial networks.By rewriting Suricata to realize real-time traffic collection and analysis and inputting the real-time analysis results into the constructed density clustering intrusion detection algorithm based on a sliding

关 键 词：工业网络 网络安全 流量解析 特征分析 基尼系数 机器学习 密度聚类算法 入侵检测 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]