An Anomaly Detection Method for Industrial Control Systems via State Transition Graph
-
摘要: 基于状态的工业控制系统入侵检测方法以其高准确率受到研究者的青睐,但是这种方法往往依赖专家经验事先定义系统的临界状态,且处理不了系统状态变量较多的情况.针对这一问题,提出一种新的基于状态迁移图的异常检测方法.该方法利用相邻数据向量间的余弦相似度和欧氏距离建立系统正常状态迁移模型,不需要事先定义系统的临界状态,并通过以下两个条件来判定系统是否处于异常:1)新的数据向量对应的状态是否位于状态迁移图内;2)前一状态到当前状态是否可达.文章建立了恶意数据攻击模型,并以田纳西-伊斯曼(Tennessee-eastman,TE)过程MATLAB模型作为仿真平台进行了仿真测试.仿真结果表明,该方法即使在系统遭受轻微攻击的情况下也有较好的检测结果,且消耗较少的时空资源.Abstract: State-based intrusion detection method for industrial control system is favored owing to its high accuracy, but this kind of method often relies on some critical states defined by expert experience beforehand and cannot deal with systems containing a number of variables. To handle this problem, a new anomaly detection method based on state transition graph is proposed. The proposed method constructs a normal state transition model of the system depending on the cosine similarity and Euclidian distance between two adjacent data vectors without any predefined critical states, and can determine whether the system is in the normal state or not according to the following two conditions:1) whether or not the current state calculated by the new data vector is in the state transition graph; 2) whether or not the previous state can reach the current state. To evaluate the method, a false data injection model is established and tested on a Tennessee-Eastman (TE) process simulated by MATLAB. The result shows that even when the attack is insensitive the method can still get good detection result and consume little time and space resource.1) 本文责任编委 胡昌华
-
图 2 工业控制过程:传感器和执行器易成为攻击目标
Fig. 2 Industrial control process: sensors and actuators are vulnerable targets
图 3 余弦相似度和欧氏距离取值示意
Fig. 3 Possible taking-value for cosine similarity and Euclidian distance
图 8 加入攻击信号的反应器温度控制回路
Fig. 8 Control loop for reactor temperature added with attack signal
图 9 正常工况下反应器温度随时间变化情况
Fig. 9 Reactor temperature varies with time under normal condition
图 10 斜坡注入工况($k=0.01$)下, 反应器温度随时间变化情况
Fig. 10 Reactor temperature varies with time under ramp signal injection with $k$ set at 0.01
图 11 偏置注入工况($c=0.1$)下, 反应器温度随时间变化情况
Fig. 11 Reactor temperature varies with time under bias signal injection with $c$ set at 0.1
图 12 $intervals$为5时的状态迁移图
Fig. 12 The state transition graph when $intervals$ is equal to 5
图 13 $intervals$为8时的状态迁移图
Fig. 13 The state transition graph when $intervals$ is equal to 8
表 1 测试数据集及其参数
Table 1 The test data set and the corresponding parameters
实验数据 $c$ $k$ Normal 0 0 Dataset1 0.01 0 Dataset2 0.1 0 Dataset3 1 0 Dataset4 0 0.01 Dataset5 0 0.1 Dataset6 0 1 
下载: 导出CSV
表 2 状态迁移图的顶点数和边数随$intervals$的变化
Table 2 The nodes and triangles number of state transition graph varies with $intervals$
$intervals$ 顶点数 边数 3 9 48 5 20 147 8 44 315 10 73 677 12 97 782 15 143 871
下载: 导出CSV
表 3 $intervals=5$时的检测结果
Table 3 Detection results when $intervals$ is equal to 5
Dataset1 Dataset2 Dataset3 Dataset4 Dataset5 ataset6 正确检测到异常的样本点数 409 401 401 436 407 402 异常类别 异常2 异常2 异常2 异常2 异常2 异常2 误报率(%) 0.63 0.21 0.42 0.21 0.83 0.42
下载: 导出CSV
表 4 $intervals=8$时的检测结果
Table 4 Detection results when $intervals$ is equal to 8
Dataset1 Dataset2 Dataset3 Dataset4 Dataset5 Dataset6 正确检测到异常的样本点数 401 401 401 411 401 401 异常类别 异常2 异常2 异常2 异常2 异常2 异常2 误报率(%) 5.62 4.38 5.21 4.17 5.83 5.42
下载: 导出CSV
表 5 $intervals=10$时的检测结果
Table 5 Detection results when $intervals$ is equal to 10
Dataset1 Dataset2 Dataset3 Dataset4 Dataset5 Dataset6 正确检测到异常的样本点数 401 401 401 401 401 401 异常类别 异常2 异常2 异常2 异常2 异常2 异常2 误报率(%) 7.50 7.08 8.12 8.21 6.67 7.71
下载: 导出CSV
表 6 $intervals=15$时的检测结果
Table 6 Detection results when $intervals$ is equal to 15
Dataset1 Dataset2 Dataset3 Dataset4 Dataset5 Dataset6 正确检测到异常的样本点数 401 401 401 401 401 401 异常类别 异常2 异常1 异常1 异常1 异常1 异常1 误报率(%) 24.37 26.25 22.92 30.21 28.96 26.04
下载: 导出CSV
-
[1] 贾驰千, 冯冬芹.基于多目标决策的工控系统设备安全评估方法研究.自动化学报, 2016, 42 (5):706-714 http://www.aas.net.cn/CN/abstract/abstract18860.shtmlJia Chi-Qian, Feng Dong-Qin. Industrial control system devices security assessment with multi-objective decision. Acta Automatica Sinica, 2016, 42 (5):706-714 http://www.aas.net.cn/CN/abstract/abstract18860.shtml [2] Langner R. Stuxnet:dissecting a cyberwarfare weapon. IEEE Security and Privacy, 2011, 9 (3):49-51 doi: 10.1109/MSP.2011.67 [3] Urbina D I, Giraldo J A, Cardenas A A, Tippenhauer N O, Valente J, Faisal M, Ruths J, Candell R, Sandberg H. Limiting the impact of stealthy attacks on industrial control systems. In:Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria:ACM, 1994. 1092-1105 [4] Rahman M A, Al-Shaer E, Kavasseri R G. A formal model for verifying the impact of stealthy attacks on optimal power flow in power grids. In:Proceedings of the 2014 ACM/IEEE International Conference on Cyber-Physical Systems. Berlin, Germany:IEEE, 2014. 175-186 [5] Kiss I, Genge B, Haller P, Sebestyén G. A framework for testing stealthy attacks in energy grids. In:Proceedings of the 2015 IEEE International Conference on Intelligent Computer Communication and Processing. Cluj-Napoca, Romania:IEEE, 2015. 553-560 [6] Queiroz C, Mahmood A, Tari Z. A probabilistic model to predict the survivability of SCADA systems. IEEE Transactions on Industrial Informatics, 2013, 9 (4):1975-1985 doi: 10.1109/TII.2012.2231419 [7] Yoon M K, Ciocarlie G. Communication pattern monitoring:improving the utility of anomaly detection for industrial control systems. In:Proceedings of the 2014 NDSS Workshop on Security of Emerging Networking Technologies. San Diego, California, USA:The Internet Society, 2014. [8] Beaver J M, Borges-Hink R C, Buckner M A. An evaluation of machine learning methods to detect malicious SCADA communications. In:Proceedings of the 12th International Conference on Machine Learning and Applications. Florida, USA:IEEE, 2013. 54-59 [9] Maglaras L A, Jiang J M. Intrusion detection in SCADA systems using machine learning techniques. In:Proceedings of the 2014 Science and Information Conference. London, England:IEEE, 2014. 626-631 [10] Kroll B, Schaffranek D, Schriegel S, Niggemann O. System modeling based on machine learning for anomaly detection and predictive maintenance in industrial plants. In:Proceedings of the 2014 IEEE Emerging Technology and Factory Automation. Barcelona, Spain:IEEE, 2014. 1-7 [11] Stefanidis K, Voyiatzis A G. An HMM-based anomaly detection approach for SCADA systems. Information Security Theory and Practice. Cham:Springer-Verlag, 2016. 85-99 [12] Shang W L, Zeng P, Wan M, Li L, An P F. Intrusion detection algorithm based on OCSVM in industrial control system. Security and Communication Networks, 2016, 9 (10):1040-1049 doi: 10.1002/sec.v9.10 [13] Khalili A, Sami A. SysDetect:a systematic approach to critical state determination for industrial intrusion detection systems using Apriori algorithm. Journal of Process Control, 2015, 32:154-160 doi: 10.1016/j.jprocont.2015.04.005 [14] Wang Y, Xu Z Y, Zhang J L, Xu L, Wang H P, Gu G F. SRID:state relation based intrusion detection for false data injection attacks in SCADA. Computer Security-ESORICS 2014. Cham:Springer-Verlag, 2014. 401-418 [15] Fovino I N, Carcano A, De Lacheze Murel T, Trombetta A, Masera M. Modbus/DNP3 state-based intrusion detection system. In:Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications. Perth, Australia:IEEE, 2010. 729-736 [16] Genge B, Siaterlis C, Karopoulos G. Data fusion-base anomay detection in networked critical infrastructures. In:Proceedings of the 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop. Budapest, Hungary:IEEE, 2013. 1-8 [17] Carcano A, Coletta A, Guglielmi M, Masera M, Fovino I N, Trombetta A. A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Transactions on Industrial Informatics, 2011, 7 (2):179-186 doi: 10.1109/TII.2010.2099234 [18] Downs J J, Vogel E F. A plant-wide industrial process control problem. Computers and Chemical Engineering, 1993, 17 (3):245-255 doi: 10.1016/0098-1354(93)80018-I [19] Ricker N L. Tennessee Eastman challenge archive[Online], available:http://depts.washington.edu/control/LARRY/TE/download.html, May 31, 2017 [20] Ricker N L. Decentralized control of the Tennessee Eastman challenge process. Journal of Process Control, 1996, 6 (4):205-221 doi: 10.1016/0959-1524(96)00031-5 -
计量
- 文章访问数: 1954
- HTML全文浏览量: 322
- PDF下载量: 710
- 被引次数: 0
