工业控制系统物理层报警量关联算法  

作　　者：王英州 张耀方 徐有方 赵若菡 郭舒畅 刘红梅 张永铮 王佰玲[1] 刘红日 WANG Yingzhou;ZHANG Yaofang;XU Youfang;ZHAO Ruohan;GUO Shuchang;LIU Hongmei;ZHANG Yongzheng;WANG Bailing;LIU Hongri(School of Computer Science and Technology,Harbin Institute of Technology(Weihai),Weihai 264209,China;Weihai Cyberguard Technologies Co.,Ltd,Weihai 264209,China;China Mobile Communications Group Shandong Co.,Ltd,Jinan 250000,China;China Assets Cybersecurity Technology Co.,Ltd,Beijing 100000,China)

机构地区：[1]哈尔滨工业大学(威海)计算机科学与技术学院,山东威海264209 [2]威海天之卫网络空间安全科技有限公司,山东威海264209 [3]中国移动通信集团山东有限公司,山东济南250000 [4]中资网络信息安全科技有限公司,北京100000

出　　处：《网络与信息安全学报》2025年第1期178-188,共11页Chinese Journal of Network and Information Security

基　　金：国家重点研发计划(2021YFB2012400)。

摘　　要：工业控制系统遭到攻击后,可能会导致部分工控设备故障,负责监控设备工作状态的传感器会在物理层产生报警数据。这些传感器变量被称为报警量,它们反映了设备的运行状况。然而,报警数据数量巨大,且相关性难以确定,同时报警信息的源头也很难追溯。针对上述问题,提出了一种针对工业控制系统物理层报警量关联的算法。该算法先通过分析报警记录中的报警开始时间和报警结束时间来量化报警量间的关联度,在关联度的指导下对报警量进行分类关联,构建可能的全局报警关联结构,最后利用K2算法对可能的全局报警关联结构进行评估。同时改进了K2算法的评分函数,从而保证全局报警关联结构的可解释性。实验结果表明,该算法得到的全局报警关联结构具有较好的可解释性,更符合真实工艺流程,有助于分析报警量在物理层的关联关系,对指导工业控制系统安全响应有着重要的意义。Malfunctions of some industrial control equipment may be caused by attacks on industrial control systems,and alarm data was generated at the physical layer by sensors responsible for monitoring the equipment's working status.These sensor variables,referred to as alarm quantities,reflected the operating conditions of the equipment.However,the volume of alarm data was massive,and its correlation was difficult to determine.Simultaneously,tracing the source of the alarm data was also challenging.To address these issues,an algorithm for physical layer alarm correlation in industrial control systems was proposed.The correlation between alarm variables was quantified by analyzing the alarm start time and alarm end time in alarm records.Alarm variables were classified and correlated under the guidance of relevance,and potential global alarm correlation structures were constructed.Finally,the potential global alarm correlation structure was evaluated using the K2 algorithm.Additionally,the scoring function of the K2 algorithm was improved to ensure the interpretability of the global alarm correlation structure.Experimental results demonstrate that the global alarm correlation structure obtained by this algorithm exhibits good interpretability and is more consistent with the real process flow.This structure is helpful in analyzing the correlation between alarm variables at the physical layer and is of significant importance in guiding the security response of industrial control systems.

关 键 词：工业控制系统安全 报警关联 追溯报警源头 K2算法 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]