通信学报 ›› 2017, Vol. 38 ›› Issue (2): 143-156.doi: 10.11959/j.issn.1000-436x.2017036
赖英旭1,刘增辉2,蔡晓田1,杨凯翔1
出版日期:
2017-02-01
发布日期:
2017-07-20
作者简介:
赖英旭(1973-),女,辽宁抚顺人,北京工业大学教授,主要研究方向为工业控制网络安全和软件定义网络安全。|刘增辉(1963-),男,北京人,北京电子科技职业学院教授,主要研究方向为机电一体化技术和工业控制网络安全。|蔡晓田(1994-),女,山西运城人,北京工业大学硕士生,主要研究方向为工控网络安全和入侵检测。|杨凯翔(1992-),男,甘肃兰州人,北京工业大学硕士生,主要研究方向为工控网络安全、入侵检测和漏洞挖掘。
基金资助:
Ying-xu LAI1,Zeng-hui LIU2,Xiao-tian CAI1,Kai-xiang YANG1
Online:
2017-02-01
Published:
2017-07-20
Supported by:
摘要:
工业控制系统是国家关键基础设施的重要组成部分,一旦遭受网络攻击,会造成财产损失、人员伤亡等严重后果。为向工控安全领域的研究人员提供理论支持,对工控系统攻击的特点和检测难点进行了分析,报告了工业系统中入侵检测技术的研究现状,并对不同检测技术的性能和特点进行了比较,最后生成了一份工业入侵检测研究综述。
中图分类号:
赖英旭,刘增辉,蔡晓田,杨凯翔. 工业控制系统入侵检测研究综述[J]. 通信学报, 2017, 38(2): 143-156.
Ying-xu LAI,Zeng-hui LIU,Xiao-tian CAI,Kai-xiang YANG. Research on intrusion detection of industrial control system[J]. Journal on Communications, 2017, 38(2): 143-156.
表1
误用入侵检测性能比较"
研究文献 | 支持工控协议 | 检测技术 | 检测攻击类型或检测规则数 | 是否检测未知攻击 | 局限性 | 检测效果 |
文献[ | Modbus | 流量周期性 | DoS 攻击、扫描信息攻击 | 否 | 控制网络的周期性存在不确定性 | 检测效率高,但在准确率上存在较大的问题 |
文献[ | Modbus | 概率主成分分析法 | 只针对震网攻击 | 否 | 仅对于攻击流量特征与正常业务类型差异比较大的情况 | 使FPR平均下降率达32% |
文献[ | SCADA | 频率检测 | 过程攻击 | 否 | 无 | 频率降低 |
文献[ | Modbus | 多情感的基因算法去自动提取异常行为的规则 | 30条规则 | 否 | 该方法对于每一种攻击至少生成3条检测规则,有些行为多达8条规则,影响了检测性能 | 算法精度非常高,对33 804个数据分组进行了测试,只误报了3个数据分组 |
文献[ | Modbus | 特征检测 | 50条规则 | 否 | 无 | 检测精度高 |
文献[ | Modbus、IEC 60870-5 | 特征检测和行为检测 | 重放攻击、中间人攻击、DoS攻击 | 否 | 只能检测已知攻击 | FPR为0.13%,FNR为0.16%~0.2% |
表2
异常入侵检测性能比较"
研究文献 | 支持工控协议 | 检测技术 | 检测攻击类型或检测规则数 | 是否检测未知攻击 | 局限性 | 检测效果 |
文献[ | SCADA | 神经网络和动态窗口特征提取技术 | 零日攻击 | 是 | 无 | 检测率达100% |
文献[ | SCADA | 蜜罐技术 | 无 | 是 | 建立的虚拟主机的响应数据分组只有 ICMP、TCP 和UDP | 能识别所有虚拟主机设备,并记录异常行为的IP |
文献[ | SCADA | 蚁群聚类算法和无监督特征提取技术 | DoS、Remote-to-Local (R2L)、User-to-Root (U2R)和Probing攻击 | 是 | 无 | 能检测已知和未知攻击,检测率高,误报率低 |
文献[ | 密歇根州立大学SCADA 测试床和Modbus | 神经网络 | 重放攻击、中间人攻击和DoS攻击 | 否 | 中间人攻击和 DoS 攻击的检测率非常高,但重放攻击的检测率非常低 | 重放攻击:FNR为42.7%,FPR为45.1% |
中间人攻击:FNR为0~8.9%,FPR为0~6.2% | ||||||
DoS攻击:FNR为0~2.0%,FPR为0~8.2% | ||||||
文献[ | IEC 61850 | 基于网络特征的统计分析 | 27个攻击 | 是 | 缺乏与开放的可用网络数据集的比较性能和精确度 | 检测率高,无误报 |
文献[ | Modbus | n-gram 特征提取技术 | 数据注入攻击 | 是 | 无 | 检测精度较高 |
文献[ | SCADA | 语义分析技术 | 水母攻击 | 是 | 系统临界状态过于简单 | 能检测所有潜在威胁 |
文献[ | Modbus、DNP3、IEC 61850 | 流量特性和协议特性分析技术 | DoS攻击、中间人攻击和内部人攻击 | 是 | 无 | 能检测到自动化网络可信周界内发起的各种攻击场景 |
文献[ | SCADA | n-gram 序列状态分析,统计模型分析 | 欺骗攻击、篡改攻击、DoS攻击,故障注入 | 是 | 只基于系统知识 | 能快速检测到攻击,误判率低于1.61% |
文献[ | Modbus TCP | 单类支持向量机 | PLC上的恶意代码 | 是 | 在数据预处理上只对Modbus功能码进行基本的向量处理,并未对所获得的所有数据进行建模 | 精确度高,有较强的学习能力和泛化能力 |
表4
准确率提升技术对比"
研究文献 | 支持的工控协议 | 检测技术(算法) | 检测攻击类型或检测规则数 | 是否检测未知攻击 | 局限性 | 检测效果 |
文献[ | SCADA | 事件监控、特征提取 | 电力有关攻击 | 否 | 无 | 可避免人工识别情况下产生的漏报 |
文献[ | Modbus | 模糊集 | Probing攻击 | 是 | 必须首先进行模型离线学习,而嵌入式设备的学习能力十分有限,不利于模型及时更新 | 正确分类率为99.36%,FPR为0,FNR为0.9% |
文献[ | Modbus | 网络遥测技术 | 中间人攻击、DoS攻击、欺骗攻击、分组注入攻击 | 是 | 无 | 精确度为94.3%,FPR为5.7%,无漏报 |
文献[ | 无 | 基因算法、特征选择 | DoS攻击 | 否 | 无 | 规则数增加,降低FPR |
文献[ | Modbus | 基于载荷的异常检测 | 19种攻击及8种漏洞 | 是 | 无 | FPR为0.2%,检测率为88%~92% |
文献[ | 无 | 不完备信息的半监督K-means技术、 | 欺骗攻击、DoS攻击、中间人攻击、端口扫描攻击 | 是 | 无 | 能提高检测精度,降低FPR |
文献[ | 无 | 基于交互信息的特征选择 | DoS、U2R、R2L、Probing攻击 | 是 | 无 | 检测率高,FPR低 |
[1] | DONALD P C . The application of autonomic computing for the protection of industrial control systems[M]. Tucson: The University of ArizonaPress, 2011. |
[2] | 《国家信息安全标准化"十一五"规划》(摘登)[EB/OL]. , 2007. |
National information security standardization of 11th five-year planning (act)[EB/OL]. , 2007. | |
[3] | 《关于加强工业控制系统信息安全管理的通知》工信部协[2011]451号[EB/OL]. , 2011. |
The notice to strengthen information security management of industrial control system[EB/OL]. , 2011. | |
[4] | 中华人民共和国国务院. 国务院关于大力推进信息化发展和切实保障信息安全的若干意见[EB/OL]. , 2012. |
The State Council of the People's Republic of China. The State Council on vigorously promote the development of information technology and ensure the several opinions of the information security[EB/OL]. , 2012. | |
[5] | 国家发展和改革委员会高技术产业司. 国家发展改革委办公厅关于组织实施2012年国家信息安全专项有关事项的通知(发改办高技[2012]2019号)[EB/OL]. , 2012. |
The National Development and Reform Commission,the High Technology Industry Company.General Office of the National Development and Reform. Commission about the notice to organizing the implementation of the national information security 2012 special matters (The National Development and Reform Commission and The High Technology Industry Company[2012]No.2019)[EB/OL]. , 2012. | |
[6] | 国家发展和改革委员会高技术产业司. 国家发展改革委办公厅关于组织实施2013年国家信息安全专项有关事项的通知(发改办高技[2013]1965号)[EB/OL]. , 2013. |
The National Development and Reform Commission,the High Technology Industry Company. General Office of the National Development and Reform.Commission about the notice to organizing the implementation of the national information security 2013 special matters (The National Development and Reform Commission and the High Technology Industry Company[2013]No.1965)[EB/OL]. , 2013. | |
[7] | “工业控制系统深度安全技术”列入科技部发布的“网络空间安全”重点专项2016年度项目申报指南[EB/OL]. , 2016. |
Industrial control system profound security technology" included in "cyberspace security" 2016 special project application guide the sci-ence and technology ministry published[EB/OL]. , 2016. | |
[8] | SHIN S , KWON T , JO G Y ,et al. An experimental study of hierarchical intrusion detection for wireless industrial sensor networks[J]. IEEE Transactions on Industrial Informatics, 2010,6(4): 744-757. |
[9] | JONES R A , HOROWITZ B . A system-aware cyber security architecture[J]. Systems Engineering, 2012,15(2): 225-240. |
[10] | 胡毅, 于东, 刘明烈 . 工业控制网络的研究现状及发展趋势[J]. 计算机科学, 2010,37(1): 23-28. |
HU Y , YU D , LIU M L . Present research and developing trends on industrial control network[J]. Computer Science, 2010,37(1): 23-28. | |
[11] | 王玉敏, 丁露 . 工业控制系统(ICS)概述和与IT系统的比较[J]. 中国仪器仪表, 2012,(2): 37-43. |
WANG Y M , DING L . Industry control system (ICS) overview and comparison with the IT system[J]. China Instrumentation, 2012,(2): 37-43. | |
[12] | 张帅 . 工业控制系统安全风险分析[J]. 信息安全与通信保密, 2012 (3): 15-19. |
ZHANG S . The security risk analysis of the industrial control system[J]. Information Security and Communications Privacy, 2012(3): 15-19. | |
[13] | 王玉敏 . 工业控制系统的常见攻击[J]. 中国仪器仪表, 2012(3): 60-65. |
WANG Y M . The general attacks and how to protect the ICS[J]. China Instrumentation, 2012(3): 60-65. | |
[14] | 张凤登, 谢力, 应启戛 . 噪声环境中采用探询机制的局域网性能分析[J]. 通信学报, 2002,23(6): 7-13. |
ZHANG F D , XIE L , YING Q J . Performance analysis of LAN using polling mechanism in a noisy environment[J]. Journal of China Institute of Communications, 2002,23(6): 7-13. | |
[15] | LIU C C , STEFANOW A . Cyber–power system security in a smart grid environment[C]// IEEE PES Innovative Smart Grid Technologies. 2012: 1-3. |
[16] | BARBOSA R , SADRE R , PRAS A . Towards periodicity based anom-aly detection in SCADA networks[C]// The 17th International Conference on Emerging Technologies & Factory Automation. 2012: 1-4. |
[17] | 侯重远, 江汉红, 芮万智 ,等. 工业网络流量异常检测的概率主成分分析法[J]. 西安交通大学学报, 2012,46(2): 70-75. |
HOU C Y , JIANG H H , RUI W Z ,et al. A probabilistic principal component analysis approach for detecting traffic anomaly in industrial networks[J]. Academic Journal of Xi'an Jiaotong University, 2012,46(2): 70-75. | |
[18] | VOLLMER T,ALVES-FOSS J , MANIC M . Autonomous rule creation for intrusion detection[C]// IEEE Symposium on Computational Intelligence in Cyber Security. 2011: 1-8. |
[19] | MORRIS T , VAUGHN R , DANDASS Y . A retrofit network intrusion detection system for modbus RTU and ASCII industrial control systems[C]// The 45th Hawaii International Conference on System Science. 2012: 2338-2345. |
[20] | HONG J , LIU C C , GOVINDARASU M . Integrated anomaly detection for cyber security of the substations[J]. IEEE Transactions on Smart Grid, 2014,5(4): 1643-1653. |
[21] | VOLLMER T , MANIC M . Computationally efficient neural network intrusion security awareness[C]// The 2nd International Symposium on Resilient Control Systems. 2009: 25-30. |
[22] | LINDA O , VOLLMER T , MANIC M . Neural network based intrusion detection system for critical infrastructures[C]// International Joint Conference on Neural Networks. 2009: 1827-1834. |
[23] | VOLLMER T , MANIC M . Cyber-physical system security with deceptive virtual hosts for industrial control networks[J]. IEEE Transactions on Industrial Informatics, 2014,10(2): 1337-1347. |
[24] | TSANG C H , KWONG S . Multi-agent intrusion detection system in industrial network using ant colony clustering approach and unsupervised feature extraction[C]// International Conference on Industrial Technology. 2005: 115-120. |
[25] | GAO W , MORRIS T , REAVES B ,et al. On SCADA control system command and response injection and intrusion detection[C]// The 5th Annual Anti-Phishing Working Group eCrime Researchers Summit. 2010: 1-9. |
[26] | KWON Y J , KIM H K , LIM Y H ,et al. A behavior-based intrusion detection technique for smart grid infrastructure[C]// PowerTech Conference. 2015: 1-6. |
[27] | HADZIOSMANOVIC D , SIMIONATO L , BOLZONI D ,et al. N-gram against the machine:on the feasibility of the n-gram network analysis for binary protocols[C]// The 15th International Symposium on Research in Attacks,Intrusions,and Defenses. 2012: 354-373. |
[28] | BARBOSA R , PRAS A . Intrusion detection in SCADA networks[C]// The 4th International Conference on Autonomous Infrastructure,Management and Security, 2010: 163-166. |
[29] | CARCANO A , FOVINO I N , MASERA M ,et al. State-based network intrusion detection systems for SCADA protocols:a proof of concept[C]// The 4th International Workshop on Critical Information Infrastructures Security. 2010: 138-150. |
[30] | PARVANIA M , KOUTSANDRIA G , MUTHUKUMARY V ,et al. Hybrid control network intrusion detection systems for automated power distribution systems[C]// The 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2014: 774-779. |
[31] | HONG J H , WU S S , STEFANOV A . An intrusion and defense testbed in a cyber-power system environment[C]// IEEE Power and Energy Society General Meeting. 2011: 1-5. |
[32] | ZHOU C , HUANG S , XIONG N ,et al. Design and analysis of multimodel-based anomaly intrusion detection systems in industrial process automation[J]. IEEE Transactions on System,Man and Cybernetics-Systems, 2015,45(10): 1345-1360. |
[33] | SHANG W L , LI L , WAN M ,et al. Industrial communication intrusion detection algorithm based on improved one-class SVM[C]// 2015 World Congress on Industrial Control System Security. 2015: 21-25. |
[34] | LIN H , SLAGELL A , KALLBARCZYK Z ,et al. Semantic security analysis of SCADA networks to detect malicious control commands in power grids[C]// The First ACM Workshop on Smart Energy Grid Security. 2013: 29-34. |
[35] | HADZIOSMANOVIC D , SOMMER R , ZAMBON E ,et al. Through the eye of the PLC:semantic security monitoring for industrial processes[C]// The 30th Annual Computer Security Applications Conference. 2014: 126-135. |
[36] | MITCHELL R , CHEN I R . Behavior rule based intrusion detection for supporting secure medical cyber physical systems[C]// The 21st International Conference on Computer Communication and Networks. 2012: 1-7. |
[37] | MITCHELL R , CHEN I R . Specification based intrusion detection for unmanned aircraft systems[C]// The first ACM MobiHoc Workshop on Airborne Networks and Communications. 2012: 31-36. |
[38] | MITCHELL R , CHEN I R . Behavior rule based intrusion detection systems for safety critical smart grid applications[J]. IEEE Transactions on Smart Grid, 2013,4(3): 1254-1263. |
[39] | MITCHELL R , CHEN I R . A survey of intrusion detection techniques for cyber physical systems[J]. ACM Computing Surveys, 2014,46(4): 1-27. |
[40] | MITCHELL R , CHEN I R . Behavior rule specification-based intrusion detection for safety critical medical cyber physical system[J]. IEEE Transactions on Dependable and Secure Computing, 2015,12(1): 16-30. |
[41] | OMAN P , PHILIPS M . Intrusion detection and event monitoring in SCADA networks[C]// The 1st Annual IFIP International Conference on Critical Infrastructure Protection. 2008: 161-173. |
[42] | LINDA O , MANIC M , VOLLMER T ,et al. Fuzzy logic based anomaly detection for embedded network security cyber sensor[C]// IEEE Symposium on Computational Intelligence in Cyber Security. 2011: 202-209. |
[43] | PONOMAREV S , ATKISON T . Industrial control system network intrusion detection by telemetry analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2016,13(2): 252-260. |
[44] | NARSINGYANI D , KALE O . Optimizing false positive in anomaly based intrusion detection using genetic algorithm[C]// The 3rd International Conference on MOOCs,Innovation and Technology in Education. 2015: 72-77. |
[45] | DUSSEL P , GEHL C , LASKOV P . Cyber-critical infrastructure protection using real-time payload-based anomaly detection[C]// The 4th International Workshop on Critical Information Infrastructure Security. 2010: 85-97. |
[46] | 王海凤 . 工业控制网络的异常检测与防御资源分配研究[D]. 浙江大学, 2014. |
WANG H F . On anomaly detection and defense resource allocation of industrial control networks[D]. Zhejiang University, 2014. | |
[47] | AMBUSAIDI M , HE X J , NANDA P . Building an intrusion detection system using a filter-based feature selection algorithm[J]. IEEE Transactions on Computers, 2016(99):1. |
[48] | PREARATNEU K , SAMARABANDU J , SIDHU T S . An intrusion detection system for IEC61850 automated substations[J]. IEEE Transactions on Power Delivery, 2010,25(4): 2376-2383. |
[49] | SAMDARSHI R , SINHA N , TRIPATHI P . A triple layer intrusion detection system for SCADA security of electric utility[C]// India Conference. 2015: 1-5. |
[50] | SINGH P , GARG S , KUMAR V . A testbed for SCADA cyber security and intrusion detection[C]// International Conference on Cyber Security of Smart Cities,Industrial Control System and Communications. 2015: 1-6. |
[51] | SRIDHAR S , GOVINDARASU M . Model-based attack detection and mitigation for automatic generation control[J]. IEEE Transactions on Smart Grid, 2014,5(2): 580-591. |
[1] | 苏新, 张桂福, 行鸿彦, Zenghui Wang. 基于平衡生成对抗网络的海洋气象传感网入侵检测研究[J]. 通信学报, 2023, 44(4): 124-136. |
[2] | 霍纬纲, 梁锐, 李永华. 基于随机Transformer的多维时间序列异常检测模型[J]. 通信学报, 2023, 44(2): 94-103. |
[3] | 廖建新, 付霄元, 戚琦, 王敬宇, 孙海峰. 6G-ADM:基于知识空间的6G网络管控体系[J]. 通信学报, 2022, 43(6): 3-15. |
[4] | 段雪源, 付钰, 王坤. 基于VAE-WGAN的多维时间序列异常检测方法[J]. 通信学报, 2022, 43(3): 1-13. |
[5] | 吴平, 常朝稳, 左志斌, 马莹莹. 基于地址重载的SDN分组转发验证[J]. 通信学报, 2022, 43(3): 88-100. |
[6] | 孙海丽, 龙翔, 韩兰胜, 黄炎, 李清波. 工业物联网异常检测技术综述[J]. 通信学报, 2022, 43(3): 196-210. |
[7] | 陈卓, 朱淼, 杜军威. 基于多视角图神经网络的欺诈检测算法[J]. 通信学报, 2022, 43(11): 225-232. |
[8] | 王一丰, 郭渊博, 陈庆礼, 方晨, 林韧昊. 基于对比学习的细粒度未知恶意流量分类方法[J]. 通信学报, 2022, 43(10): 12-25. |
[9] | 段雪源, 付钰, 王坤, 刘涛涛, 李彬. 基于多尺度特征的网络流量异常检测方法[J]. 通信学报, 2022, 43(10): 65-76. |
[10] | 朱会娟, 陈锦富, 李致远, 殷尚男. 基于多特征自适应融合的区块链异常交易检测方法[J]. 通信学报, 2021, 42(5): 41-50. |
[11] | 刘奇旭, 王君楠, 尹捷, 陈艳辉, 刘嘉熹. 对抗机器学习在网络入侵检测领域的应用[J]. 通信学报, 2021, 42(11): 1-12. |
[12] | 田有亮,吴雨龙,李秋贤. 基于信息论的入侵检测最佳响应方案[J]. 通信学报, 2020, 41(7): 121-130. |
[13] | 陈铁明,金成强,吕明琪,朱添田. 基于样本增强的网络恶意流量智能检测方法[J]. 通信学报, 2020, 41(6): 128-138. |
[14] | 戚琦,申润业,王敬宇. GAD:基于拓扑感知的时间序列异常检测[J]. 通信学报, 2020, 41(6): 152-160. |
[15] | 张兴兰,尹晟霖. 可变融合的随机注意力胶囊网络入侵检测模型[J]. 通信学报, 2020, 41(11): 160-168. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||
|