工业控制系统入侵检测研究综述

doi:10.11959/j.issn.1000-436x.2017036

摘要/Abstract

摘要：

工业控制系统是国家关键基础设施的重要组成部分，一旦遭受网络攻击，会造成财产损失、人员伤亡等严重后果。为向工控安全领域的研究人员提供理论支持，对工控系统攻击的特点和检测难点进行了分析，报告了工业系统中入侵检测技术的研究现状，并对不同检测技术的性能和特点进行了比较，最后生成了一份工业入侵检测研究综述。

关键词: 工业控制系统, 入侵检测, 误用检测, 异常检测

Abstract:

Industrial control system was an important part of national critical infrastructure,once it was suffered from the cyber attack,it would cause property damage,casualties and other serious disasters.For providing theoretical supports to industrial security researchers,the features of attacks in an industrial control system and the difficulties of detection to these attacks were introduced.Then,a survey of intrusion detection technologies used by the industrial control systems was given.Also,the performance and characteristic were compared for the different types of detection technologies.Fi-nally,an industrial intrusion detection research was generated.

Key words: industrial control system, intrusion detection, misuse detection, anomaly detection

中图分类号:

TP309

赖英旭,刘增辉,蔡晓田,杨凯翔. 工业控制系统入侵检测研究综述[J]. 通信学报, 2017, 38(2): 143-156.

Ying-xu LAI,Zeng-hui LIU,Xiao-tian CAI,Kai-xiang YANG. Research on intrusion detection of industrial control system[J]. Journal on Communications, 2017, 38(2): 143-156.

图/表 6

图1

表1

表2

异常入侵检测性能比较"

研究文献	支持工控协议	检测技术	检测攻击类型或检测规则数	是否检测未知攻击	局限性	检测效果
文献[22]	SCADA	神经网络和动态窗口特征提取技术	零日攻击	是	无	检测率达100%
文献[23]	SCADA	蜜罐技术	无	是	建立的虚拟主机的响应数据分组只有 ICMP、TCP 和UDP	能识别所有虚拟主机设备，并记录异常行为的IP
文献[24]	SCADA	蚁群聚类算法和无监督特征提取技术	DoS、Remote-to-Local （R2L）、User-to-Root （U2R）和Probing攻击	是	无	能检测已知和未知攻击，检测率高，误报率低
文献[25]	密歇根州立大学SCADA 测试床和Modbus	神经网络	重放攻击、中间人攻击和DoS攻击	否	中间人攻击和 DoS 攻击的检测率非常高，但重放攻击的检测率非常低	重放攻击：FNR为42.7%，FPR为45.1%
						中间人攻击：FNR为0～8.9%，FPR为0～6.2%
						DoS攻击：FNR为0～2.0%，FPR为0～8.2%
文献[26]	IEC 61850	基于网络特征的统计分析	27个攻击	是	缺乏与开放的可用网络数据集的比较性能和精确度	检测率高，无误报
文献[27]	Modbus	n-gram 特征提取技术	数据注入攻击	是	无	检测精度较高
文献[29]	SCADA	语义分析技术	水母攻击	是	系统临界状态过于简单	能检测所有潜在威胁
文献[30]	Modbus、DNP3、IEC 61850	流量特性和协议特性分析技术	DoS攻击、中间人攻击和内部人攻击	是	无	能检测到自动化网络可信周界内发起的各种攻击场景
文献[32]	SCADA	n-gram 序列状态分析，统计模型分析	欺骗攻击、篡改攻击、DoS攻击，故障注入	是	只基于系统知识	能快速检测到攻击，误判率低于1.61%
文献[33]	Modbus TCP	单类支持向量机	PLC上的恶意代码	是	在数据预处理上只对Modbus功能码进行基本的向量处理，并未对所获得的所有数据进行建模	精确度高，有较强的学习能力和泛化能力

表2

表3

表4

表5

参考文献 51

[1]	DONALD P C . The application of autonomic computing for the protection of industrial control systems[M]. Tucson: The University of ArizonaPress, 2011.
[2]	《国家信息安全标准化"十一五"规划》(摘登)[EB/OL]. , 2007.
	National information security standardization of 11th five-year planning (act)[EB/OL]. , 2007.
[3]	《关于加强工业控制系统信息安全管理的通知》工信部协[2011]451号[EB/OL]. , 2011.
	The notice to strengthen information security management of industrial control system[EB/OL]. , 2011.
[4]	中华人民共和国国务院. 国务院关于大力推进信息化发展和切实保障信息安全的若干意见[EB/OL]. , 2012.
	The State Council of the People's Republic of China. The State Council on vigorously promote the development of information technology and ensure the several opinions of the information security[EB/OL]. , 2012.
[5]	国家发展和改革委员会高技术产业司. 国家发展改革委办公厅关于组织实施2012年国家信息安全专项有关事项的通知(发改办高技[2012]2019号)[EB/OL]. , 2012.
	The National Development and Reform Commission,the High Technology Industry Company.General Office of the National Development and Reform. Commission about the notice to organizing the implementation of the national information security 2012 special matters (The National Development and Reform Commission and The High Technology Industry Company[2012]No.2019)[EB/OL]. , 2012.
[6]	国家发展和改革委员会高技术产业司. 国家发展改革委办公厅关于组织实施2013年国家信息安全专项有关事项的通知(发改办高技[2013]1965号)[EB/OL]. , 2013.
	The National Development and Reform Commission,the High Technology Industry Company. General Office of the National Development and Reform.Commission about the notice to organizing the implementation of the national information security 2013 special matters (The National Development and Reform Commission and the High Technology Industry Company[2013]No.1965)[EB/OL]. , 2013.
[7]	“工业控制系统深度安全技术”列入科技部发布的“网络空间安全”重点专项2016年度项目申报指南[EB/OL]. , 2016.
	Industrial control system profound security technology" included in "cyberspace security" 2016 special project application guide the sci-ence and technology ministry published[EB/OL]. , 2016.
[8]	SHIN S , KWON T , JO G Y ,et al. An experimental study of hierarchical intrusion detection for wireless industrial sensor networks[J]. IEEE Transactions on Industrial Informatics, 2010,6(4): 744-757.
[9]	JONES R A , HOROWITZ B . A system-aware cyber security architecture[J]. Systems Engineering, 2012,15(2): 225-240.
[10]	胡毅, 于东, 刘明烈 . 工业控制网络的研究现状及发展趋势[J]. 计算机科学, 2010,37(1): 23-28.
	HU Y , YU D , LIU M L . Present research and developing trends on industrial control network[J]. Computer Science, 2010,37(1): 23-28.
[11]	王玉敏, 丁露 . 工业控制系统(ICS)概述和与IT系统的比较[J]. 中国仪器仪表, 2012,(2): 37-43.
	WANG Y M , DING L . Industry control system (ICS) overview and comparison with the IT system[J]. China Instrumentation, 2012,(2): 37-43.
[12]	张帅 . 工业控制系统安全风险分析[J]. 信息安全与通信保密, 2012 (3): 15-19.
	ZHANG S . The security risk analysis of the industrial control system[J]. Information Security and Communications Privacy, 2012(3): 15-19.
[13]	王玉敏 . 工业控制系统的常见攻击[J]. 中国仪器仪表, 2012(3): 60-65.
	WANG Y M . The general attacks and how to protect the ICS[J]. China Instrumentation, 2012(3): 60-65.
[14]	张凤登, 谢力, 应启戛 . 噪声环境中采用探询机制的局域网性能分析[J]. 通信学报, 2002,23(6): 7-13.
	ZHANG F D , XIE L , YING Q J . Performance analysis of LAN using polling mechanism in a noisy environment[J]. Journal of China Institute of Communications, 2002,23(6): 7-13.
[15]	LIU C C , STEFANOW A . Cyber–power system security in a smart grid environment[C]// IEEE PES Innovative Smart Grid Technologies. 2012: 1-3.
[16]	BARBOSA R , SADRE R , PRAS A . Towards periodicity based anom-aly detection in SCADA networks[C]// The 17th International Conference on Emerging Technologies ＆ Factory Automation. 2012: 1-4.
[17]	侯重远, 江汉红, 芮万智 ,等. 工业网络流量异常检测的概率主成分分析法[J]. 西安交通大学学报, 2012,46(2): 70-75.
	HOU C Y , JIANG H H , RUI W Z ,et al. A probabilistic principal component analysis approach for detecting traffic anomaly in industrial networks[J]. Academic Journal of Xi'an Jiaotong University, 2012,46(2): 70-75.
[18]	VOLLMER T,ALVES-FOSS J , MANIC M . Autonomous rule creation for intrusion detection[C]// IEEE Symposium on Computational Intelligence in Cyber Security. 2011: 1-8.
[19]	MORRIS T , VAUGHN R , DANDASS Y . A retrofit network intrusion detection system for modbus RTU and ASCII industrial control systems[C]// The 45th Hawaii International Conference on System Science. 2012: 2338-2345.
[20]	HONG J , LIU C C , GOVINDARASU M . Integrated anomaly detection for cyber security of the substations[J]. IEEE Transactions on Smart Grid, 2014,5(4): 1643-1653.
[21]	VOLLMER T , MANIC M . Computationally efficient neural network intrusion security awareness[C]// The 2nd International Symposium on Resilient Control Systems. 2009: 25-30.
[22]	LINDA O , VOLLMER T , MANIC M . Neural network based intrusion detection system for critical infrastructures[C]// International Joint Conference on Neural Networks. 2009: 1827-1834.
[23]	VOLLMER T , MANIC M . Cyber-physical system security with deceptive virtual hosts for industrial control networks[J]. IEEE Transactions on Industrial Informatics, 2014,10(2): 1337-1347.
[24]	TSANG C H , KWONG S . Multi-agent intrusion detection system in industrial network using ant colony clustering approach and unsupervised feature extraction[C]// International Conference on Industrial Technology. 2005: 115-120.
[25]	GAO W , MORRIS T , REAVES B ,et al. On SCADA control system command and response injection and intrusion detection[C]// The 5th Annual Anti-Phishing Working Group eCrime Researchers Summit. 2010: 1-9.
[26]	KWON Y J , KIM H K , LIM Y H ,et al. A behavior-based intrusion detection technique for smart grid infrastructure[C]// PowerTech Conference. 2015: 1-6.
[27]	HADZIOSMANOVIC D , SIMIONATO L , BOLZONI D ,et al. N-gram against the machine:on the feasibility of the n-gram network analysis for binary protocols[C]// The 15th International Symposium on Research in Attacks,Intrusions,and Defenses. 2012: 354-373.
[28]	BARBOSA R , PRAS A . Intrusion detection in SCADA networks[C]// The 4th International Conference on Autonomous Infrastructure,Management and Security, 2010: 163-166.
[29]	CARCANO A , FOVINO I N , MASERA M ,et al. State-based network intrusion detection systems for SCADA protocols:a proof of concept[C]// The 4th International Workshop on Critical Information Infrastructures Security. 2010: 138-150.
[30]	PARVANIA M , KOUTSANDRIA G , MUTHUKUMARY V ,et al. Hybrid control network intrusion detection systems for automated power distribution systems[C]// The 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2014: 774-779.
[31]	HONG J H , WU S S , STEFANOV A . An intrusion and defense testbed in a cyber-power system environment[C]// IEEE Power and Energy Society General Meeting. 2011: 1-5.
[32]	ZHOU C , HUANG S , XIONG N ,et al. Design and analysis of multimodel-based anomaly intrusion detection systems in industrial process automation[J]. IEEE Transactions on System,Man and Cybernetics-Systems, 2015,45(10): 1345-1360.
[33]	SHANG W L , LI L , WAN M ,et al. Industrial communication intrusion detection algorithm based on improved one-class SVM[C]// 2015 World Congress on Industrial Control System Security. 2015: 21-25.
[34]	LIN H , SLAGELL A , KALLBARCZYK Z ,et al. Semantic security analysis of SCADA networks to detect malicious control commands in power grids[C]// The First ACM Workshop on Smart Energy Grid Security. 2013: 29-34.
[35]	HADZIOSMANOVIC D , SOMMER R , ZAMBON E ,et al. Through the eye of the PLC:semantic security monitoring for industrial processes[C]// The 30th Annual Computer Security Applications Conference. 2014: 126-135.
[36]	MITCHELL R , CHEN I R . Behavior rule based intrusion detection for supporting secure medical cyber physical systems[C]// The 21st International Conference on Computer Communication and Networks. 2012: 1-7.
[37]	MITCHELL R , CHEN I R . Specification based intrusion detection for unmanned aircraft systems[C]// The first ACM MobiHoc Workshop on Airborne Networks and Communications. 2012: 31-36.
[38]	MITCHELL R , CHEN I R . Behavior rule based intrusion detection systems for safety critical smart grid applications[J]. IEEE Transactions on Smart Grid, 2013,4(3): 1254-1263.
[39]	MITCHELL R , CHEN I R . A survey of intrusion detection techniques for cyber physical systems[J]. ACM Computing Surveys, 2014,46(4): 1-27.
[40]	MITCHELL R , CHEN I R . Behavior rule specification-based intrusion detection for safety critical medical cyber physical system[J]. IEEE Transactions on Dependable and Secure Computing, 2015,12(1): 16-30.
[41]	OMAN P , PHILIPS M . Intrusion detection and event monitoring in SCADA networks[C]// The 1st Annual IFIP International Conference on Critical Infrastructure Protection. 2008: 161-173.
[42]	LINDA O , MANIC M , VOLLMER T ,et al. Fuzzy logic based anomaly detection for embedded network security cyber sensor[C]// IEEE Symposium on Computational Intelligence in Cyber Security. 2011: 202-209.
[43]	PONOMAREV S , ATKISON T . Industrial control system network intrusion detection by telemetry analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(2): 252-260.
[44]	NARSINGYANI D , KALE O . Optimizing false positive in anomaly based intrusion detection using genetic algorithm[C]// The 3rd International Conference on MOOCs,Innovation and Technology in Education. 2015: 72-77.
[45]	DUSSEL P , GEHL C , LASKOV P . Cyber-critical infrastructure protection using real-time payload-based anomaly detection[C]// The 4th International Workshop on Critical Information Infrastructure Security. 2010: 85-97.
[46]	王海凤 . 工业控制网络的异常检测与防御资源分配研究[D]. 浙江大学, 2014.
	WANG H F . On anomaly detection and defense resource allocation of industrial control networks[D]. Zhejiang University, 2014.
[47]	AMBUSAIDI M , HE X J , NANDA P . Building an intrusion detection system using a filter-based feature selection algorithm[J]. IEEE Transactions on Computers, 2016(99):1.
[48]	PREARATNEU K , SAMARABANDU J , SIDHU T S . An intrusion detection system for IEC61850 automated substations[J]. IEEE Transactions on Power Delivery, 2010,25(4): 2376-2383.
[49]	SAMDARSHI R , SINHA N , TRIPATHI P . A triple layer intrusion detection system for SCADA security of electric utility[C]// India Conference. 2015: 1-5.
[50]	SINGH P , GARG S , KUMAR V . A testbed for SCADA cyber security and intrusion detection[C]// International Conference on Cyber Security of Smart Cities,Industrial Control System and Communications. 2015: 1-6.
[51]	SRIDHAR S , GOVINDARASU M . Model-based attack detection and mitigation for automatic generation control[J]. IEEE Transactions on Smart Grid, 2014,5(2): 580-591.

研究文献	支持工控协议	检测技术	检测攻击类型或检测规则数	是否检测未知攻击	局限性	检测效果
文献[16]	Modbus	流量周期性	DoS 攻击、扫描信息攻击	否	控制网络的周期性存在不确定性	检测效率高，但在准确率上存在较大的问题
文献[17]	Modbus	概率主成分分析法	只针对震网攻击	否	仅对于攻击流量特征与正常业务类型差异比较大的情况	使FPR平均下降率达32%
文献[15]	SCADA	频率检测	过程攻击	否	无	频率降低
文献[18]	Modbus	多情感的基因算法去自动提取异常行为的规则	30条规则	否	该方法对于每一种攻击至少生成3条检测规则，有些行为多达8条规则，影响了检测性能	算法精度非常高，对33 804个数据分组进行了测试，只误报了3个数据分组
文献[19]	Modbus	特征检测	50条规则	否	无	检测精度高
文献[20]	Modbus、IEC 60870-5	特征检测和行为检测	重放攻击、中间人攻击、DoS攻击	否	只能检测已知攻击	FPR为0.13%，FNR为0.16%～0.2%

研究文献	支持的工控协议	检测技术（算法）	检测攻击类型或检测规则数	是否检测未知攻击	局限性	检测效果
文献[41]	SCADA	事件监控、特征提取	电力有关攻击	否	无	可避免人工识别情况下产生的漏报
文献[42]	Modbus	模糊集	Probing攻击	是	必须首先进行模型离线学习，而嵌入式设备的学习能力十分有限，不利于模型及时更新	正确分类率为99.36%,FPR为0,FNR为0.9%
文献[43]	Modbus	网络遥测技术	中间人攻击、DoS攻击、欺骗攻击、分组注入攻击	是	无	精确度为94.3%,FPR为5.7%，无漏报
文献[44]	无	基因算法、特征选择	DoS攻击	否	无	规则数增加，降低FPR
文献[45]	Modbus	基于载荷的异常检测	19种攻击及8种漏洞	是	无	FPR为0.2%，检测率为88%～92%
文献[46]	无	不完备信息的半监督K-means技术、	欺骗攻击、DoS攻击、中间人攻击、端口扫描攻击	是	无	能提高检测精度，降低FPR
文献[47]	无	基于交互信息的特征选择	DoS、U2R、R2L、Probing攻击	是	无	检测率高，FPR低