工业控制系统场景指纹及异常检测

doi:10.16511/j.cnki.qhdxxb.2016.23.013

摘要
图/表
参考文献
相关文章
Metrics

全文: PDF(2386 KB)
输出: BibTeX | EndNote (RIS)

摘要工业控制系统(ICS)是监测和控制电力、水务、石油天然气、化工、交通运输、关键制造等国家关键基础设施行业物理过程运行的信息物理系统(CPS)。基于ICS系统中控制通信数据流的持续性和稳定性, 该文提出了从ICS系统工业控制协议交互模式中提取系统级行为特征来作为ICS场景指纹的创新思路和方法。ICS场景指纹不仅能用于识别特定ICS系统, 而且还能用于建立ICS系统正常行为基准并进一步用于识别系统的异常行为。该文构建了采用真实工控设备和软件以及仿真物理过程的实验系统并进行了相关实验验证测试。实验结果表明, ICS场景指纹是ICS系统安全研究方面的一种非常有前景的方法。

	服务

	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	RSS

	作者相关文章
	彭勇
	向憧
	张淼
	陈冬青
	高海辉
	谢丰
	戴忠华

关键词 ：工业控制系统, 信息物理系统, 场景指纹, 异常检测

Abstract：Industrial control systems (ICSs) are cyber-physical systems (CPSs) which supervise and control physical processes in critical infrastructure industries such as electric power, water treatment, oil & natural gas exploration, transportation, and chemical industry. Based on the observation of ICS'stable and persistent communication data flow control patterns, a concept and a methodology of ICS scenario fingerprinting were proposed which analyze industrial control protocol interactive behavior to represent ICS system-level normal behavior characteristics. ICS scenario fingerprint can identify unique ICS installation, while being used as a more generalized method to establish ICS systems'behavior benchmark and further being used to identify ICS systems'abnormal behavior. Experiments were made to validate the proposed viewpoint, which use real equipment for ICS cyber domain and use simulation for ICS physical domain. Experimental results demonstrate that ICS scenario fingerprinting technique provides ICS security research with a promising method.

Key words： industrial control system (ICS) cyber-physical system (CPS) scenario fingerprint abnormally detection

收稿日期: 2014-10-28 出版日期: 2016-01-15

ZTFLH:

TP309

引用本文:

彭勇, 向憧, 张淼, 陈冬青, 高海辉, 谢丰, 戴忠华. 工业控制系统场景指纹及异常检测[J]. 清华大学学报（自然科学版）, 2016, 56(1): 14-21.
PENG Yong, XIANG Chong, ZHANG Miao, CHEN Dongqing, GAO Haihui, XIE Feng, DAI Zhonghua. Scenario fingerprint of an industrial control system and abnormally detection. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 14-21.

链接本文:

http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.23.013 或 http://jst.tsinghuajournals.com/CN/Y2016/V56/I1/14

图1　工业控制系统典型体系结构图

图2　工控CSTR 场景实验拓扑图

图3　CSTR 模型

图4　工控系统场景指纹获取流程

图5　获取的网络流量PCAP文件

图6　HMI和PLC之间的TCP长连接

表1　不同数量级的交互时差

图7　不同时间尺度下的包向量数量

表2　交易模式统计

图8　CSTR 场景交易模式

图9　ISO-on-TCP协议数据包

图10　PLCScan扫描攻击数据流

[1] Stouffer K, Falco J, Scarfone K. Guide to Industrial Control Systems (ICS) Security, NIST: special publication 800-82 [R]. 2011.
[2] 彭勇, 江常青, 谢丰, 等. 工业控制系统信息安全研究进展 [J]. 清华大学学报: 自然科学版, 2012, 52(10): 1396-1408. PENG Yong, JIANG Changqing, XIE Feng, et al. Industrial control system cybersecurity research [J]. Journal of Tsinghua University: Sci & Technol, 2012, 52(10): 1396-1408. (in Chinese).
[3] Falliere N, Murchu L O, Chien E. W32.Stuxnet dossier, Symantec white paper [R]. 2010.
[4] Bencsáth B, Pék G, Buttyán L, et al. Duqu: A Stuxnet-like malware found in the wild[R/OL]. (2011-10). http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf.
[5] sKyWIper Analysis Team. sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks[R/OL]. (2012-05). http://www.crysys.hu/skywiper/skywiper.pdf.
[6] Caselli M, Hadiosmanovi D, Zambon E, et al. On the feasibility of device fingerprinting in industrial control systems [C]//8th International Workshop on Critical Information Infrastructures Security, CRITIS. 2013: 155-166.
[7] Cheminod M, Durante L, Valenzano A. Review of security issues in industrial networks [J]. IEEE Transactions on Industrial Informatics, 2013, 9(1): 277-293.
[8] Barbosa R R R, Sadre R, Pras A. A first look into SCADA network traffic [C]//Proceedings of 2012 IEEE Network Operations and Management Symposium, NOMS. 2012.
[9] Pleijsier E. Towards anomaly detection in SCADA networks using connection patterns [C]//18th Twente Student Conference on IT. 2013.
[10] Crotti M, Dusi M, Gringoli F, et al. Traffic classification through simple statistical fingerprinting [J]. SIGCOMM Comput Commun Rev, 2007, 37(1): 5-16.
[11] Garitano I, Siaterlis C, Genge B, et al. A method to construct network traffic models for process control systems [C]//Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies and Factory Automation, ETFA. 2012.
[12] Cheung S, Dutertre B, Fong M, et al. Using model-based intrusion detection for SCADA networks [C]//SCADA Security Scientific Symposium. 2007.
[13] Goldenberg N, Wool A. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems [J]. International Journal of Critical Infrastructure Protection, 2013, 6(2): 63-75.
[14] Morris T, Vaughn R, Dandass Y. A Retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems [C]//Proceedings of the 2012 45th Hawaii International Conference on System Sciences. 2012.
[15] Barbosa R R R, Sadre R, Pras A. Flow whitelisting in SCADA networks [J]. International Journal of Critical Infrastructure Protection, 2013, 6(3-4): 150-158.
[16] ANSI/ISA-99.01.01-2007. Security for industrial automation and control systems: Terminology, concepts and models [R]. 2007.
[17] IEC/TS 62443-1. Industrial communication networks- Network and system security-Part 1-1: Terminology, concepts and models [R]. 2009.

[1]	高洋, 任望, 吴润浦, 王卫苹, 伊胜伟, 韩白静. 信息物理系统的攻击检测与安全状态估计[J]. 清华大学学报（自然科学版）, 2021, 61(11): 1234-1239.
[2]	王志国, 章毓晋. 监控视频异常检测：综述[J]. 清华大学学报（自然科学版）, 2020, 60(6): 518-529.
[3]	梁杰, 陈嘉豪, 张雪芹, 周悦, 林家骏. 基于独热编码和卷积神经网络的异常检测[J]. 清华大学学报（自然科学版）, 2019, 59(7): 523-529.
[4]	宋宇波, 杨慧文, 武威, 胡爱群, 高尚. 软件定义网络DDoS联合检测系统[J]. 清华大学学报（自然科学版）, 2019, 59(1): 28-35.
[5]	陈冬青, 张普含, 王华忠. 基于MIKPSO-SVM方法的工业控制系统入侵检测[J]. 清华大学学报（自然科学版）, 2018, 58(4): 380-386.
[6]	陈兴蜀, 陈佳昕, 赵丹丹, 金鑫. 基于虚拟机IO序列与Markov模型的异常行为检测[J]. 清华大学学报（自然科学版）, 2018, 58(4): 395-401,410.
[7]	贾凡, 严妍, 张家琪. 基于K-means聚类特征消减的网络异常检测[J]. 清华大学学报（自然科学版）, 2018, 58(2): 137-142.
[8]	高洋, 马洋洋, 张亮, 王眉林, 王卫苹. 伴随随机攻击的信息物理系统的同步控制[J]. 清华大学学报（自然科学版）, 2018, 58(1): 14-19.
[9]	伊胜伟, 张翀斌, 谢丰, 熊琦, 向憧, 梁露露. 基于Peach的工业控制网络协议安全分析[J]. 清华大学学报（自然科学版）, 2017, 57(1): 50-54.
[10]	施陈博, 苗权, 陈启鑫. 基于CPS的能源互联网关键技术与应用[J]. 清华大学学报（自然科学版）, 2016, 56(9): 930-936,941.
[11]	王得金, 江常青, 彭勇. 工业控制系统上基于安全域的攻击图生成[J]. 清华大学学报（自然科学版）, 2014, 54(1): 44-52.

Viewed

Full text

Abstract

Cited

Shared

Discussed