2.845

2023影响因子

(CJCR)

  • 中文核心
  • EI
  • 中国科技核心
  • Scopus
  • CSCD
  • 英国科学文摘

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

一种基于状态迁移图的工业控制系统异常检测方法

吕雪峰 谢耀滨

吕雪峰, 谢耀滨. 一种基于状态迁移图的工业控制系统异常检测方法. 自动化学报, 2018, 44(9): 1662-1671. doi: 10.16383/j.aas.2017.c160832
引用本文: 吕雪峰, 谢耀滨. 一种基于状态迁移图的工业控制系统异常检测方法. 自动化学报, 2018, 44(9): 1662-1671. doi: 10.16383/j.aas.2017.c160832
LV Xue-Feng, XIE Yao-Bin. An Anomaly Detection Method for Industrial Control Systems via State Transition Graph. ACTA AUTOMATICA SINICA, 2018, 44(9): 1662-1671. doi: 10.16383/j.aas.2017.c160832
Citation: LV Xue-Feng, XIE Yao-Bin. An Anomaly Detection Method for Industrial Control Systems via State Transition Graph. ACTA AUTOMATICA SINICA, 2018, 44(9): 1662-1671. doi: 10.16383/j.aas.2017.c160832

一种基于状态迁移图的工业控制系统异常检测方法

doi: 10.16383/j.aas.2017.c160832
详细信息
    作者简介:

    吕雪峰  数学工程与先进计算国家重点实验室硕士研究生.主要研究方向为工控安全.E-mail:lvxuefeng10@163.com

    通讯作者:

    谢耀滨 解放军信息工程大学网络空间安全学院讲师.主要研究方向为工控安全.本文通信作者. E-mail:yb_xie@163.com

An Anomaly Detection Method for Industrial Control Systems via State Transition Graph

More Information
    Author Bio:

    Master student at the State Key Laboratory of Mathematical Engineering and Advanced Computing. His main research interest is industrial control system security

    Corresponding author: XIE Yao-Bin Lecturer at the School of Cyber Space Security, PLA Information Engineering University. His main research interest is industrial control system security. Corresponding author of this paper
  • 摘要: 基于状态的工业控制系统入侵检测方法以其高准确率受到研究者的青睐,但是这种方法往往依赖专家经验事先定义系统的临界状态,且处理不了系统状态变量较多的情况.针对这一问题,提出一种新的基于状态迁移图的异常检测方法.该方法利用相邻数据向量间的余弦相似度和欧氏距离建立系统正常状态迁移模型,不需要事先定义系统的临界状态,并通过以下两个条件来判定系统是否处于异常:1)新的数据向量对应的状态是否位于状态迁移图内;2)前一状态到当前状态是否可达.文章建立了恶意数据攻击模型,并以田纳西-伊斯曼(Tennessee-eastman,TE)过程MATLAB模型作为仿真平台进行了仿真测试.仿真结果表明,该方法即使在系统遭受轻微攻击的情况下也有较好的检测结果,且消耗较少的时空资源.
    1)  本文责任编委 胡昌华
  • 图  1  典型的工业控制系统网络架构

    Fig.  1  Typical network architecture for industrial control system

    图  2  工业控制过程:传感器和执行器易成为攻击目标

    Fig.  2  Industrial control process: sensors and actuators are vulnerable targets

    图  3  余弦相似度和欧氏距离取值示意

    Fig.  3  Possible taking-value for cosine similarity and Euclidian distance

    图  4  余弦相似度和欧氏距离关联性示意

    Fig.  4  Relevance between cosine similarity and Euclidian distance

    图  5  基于状态迁移图的在线检测流程

    Fig.  5  Online detection process based on state transition graph

    图  6  基于状态迁移图的在线检测流程

    Fig.  6  Online detection process based on state transition graph

    图  7  反应器温度控制回路

    Fig.  7  Control loop for reactor temperature

    图  8  加入攻击信号的反应器温度控制回路

    Fig.  8  Control loop for reactor temperature added with attack signal

    图  9  正常工况下反应器温度随时间变化情况

    Fig.  9  Reactor temperature varies with time under normal condition

    图  10  斜坡注入工况($k=0.01$)下, 反应器温度随时间变化情况

    Fig.  10  Reactor temperature varies with time under ramp signal injection with $k$ set at 0.01

    图  11  偏置注入工况($c=0.1$)下, 反应器温度随时间变化情况

    Fig.  11  Reactor temperature varies with time under bias signal injection with $c$ set at 0.1

    图  12  $intervals$为5时的状态迁移图

    Fig.  12  The state transition graph when $intervals$ is equal to 5

    图  13  $intervals$为8时的状态迁移图

    Fig.  13  The state transition graph when $intervals$ is equal to 8

    图  14  PCA方法${{\rm{T}}^2}$统计量

    Fig.  14  ${{\rm{T}}^2}$ statistic of PCA method

    图  15  PCA方法$\rm{SPE}$统计量

    Fig.  15  $\rm{SPE}$ statistic of PCA method

    表  1  测试数据集及其参数

    Table  1  The test data set and the corresponding parameters

    实验数据$c$$k$
    Normal00
    Dataset10.010
    Dataset20.10
    Dataset310
    Dataset400.01
    Dataset500.1
    Dataset601
    下载: 导出CSV

    表  2  状态迁移图的顶点数和边数随$intervals$的变化

    Table  2  The nodes and triangles number of state transition graph varies with $intervals$

    $intervals$顶点数边数
    3948
    520147
    844315
    1073677
    1297782
    15143871
    下载: 导出CSV

    表  3  $intervals=5$时的检测结果

    Table  3  Detection results when $intervals$ is equal to 5

    Dataset1Dataset2Dataset3Dataset4Dataset5ataset6
    正确检测到异常的样本点数409401401436407402
    异常类别异常2异常2异常2异常2异常2异常2
    误报率(%)0.630.210.420.210.830.42
    下载: 导出CSV

    表  4  $intervals=8$时的检测结果

    Table  4  Detection results when $intervals$ is equal to 8

    Dataset1Dataset2Dataset3Dataset4Dataset5Dataset6
    正确检测到异常的样本点数401401401411401401
    异常类别异常2异常2异常2异常2异常2异常2
    误报率(%)5.624.385.214.175.835.42
    下载: 导出CSV

    表  5  $intervals=10$时的检测结果

    Table  5  Detection results when $intervals$ is equal to 10

    Dataset1Dataset2Dataset3Dataset4Dataset5Dataset6
    正确检测到异常的样本点数401401401401401401
    异常类别异常2异常2异常2异常2异常2异常2
    误报率(%)7.507.088.128.216.677.71
    下载: 导出CSV

    表  6  $intervals=15$时的检测结果

    Table  6  Detection results when $intervals$ is equal to 15

    Dataset1Dataset2Dataset3Dataset4Dataset5Dataset6
    正确检测到异常的样本点数401401401401401401
    异常类别异常2异常1异常1异常1异常1异常1
    误报率(%)24.3726.2522.9230.2128.9626.04
    下载: 导出CSV
  • [1] 贾驰千, 冯冬芹.基于多目标决策的工控系统设备安全评估方法研究.自动化学报, 2016, 42 (5):706-714 http://www.aas.net.cn/CN/abstract/abstract18860.shtml

    Jia Chi-Qian, Feng Dong-Qin. Industrial control system devices security assessment with multi-objective decision. Acta Automatica Sinica, 2016, 42 (5):706-714 http://www.aas.net.cn/CN/abstract/abstract18860.shtml
    [2] Langner R. Stuxnet:dissecting a cyberwarfare weapon. IEEE Security and Privacy, 2011, 9 (3):49-51 doi: 10.1109/MSP.2011.67
    [3] Urbina D I, Giraldo J A, Cardenas A A, Tippenhauer N O, Valente J, Faisal M, Ruths J, Candell R, Sandberg H. Limiting the impact of stealthy attacks on industrial control systems. In:Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. Vienna, Austria:ACM, 1994. 1092-1105
    [4] Rahman M A, Al-Shaer E, Kavasseri R G. A formal model for verifying the impact of stealthy attacks on optimal power flow in power grids. In:Proceedings of the 2014 ACM/IEEE International Conference on Cyber-Physical Systems. Berlin, Germany:IEEE, 2014. 175-186
    [5] Kiss I, Genge B, Haller P, Sebestyén G. A framework for testing stealthy attacks in energy grids. In:Proceedings of the 2015 IEEE International Conference on Intelligent Computer Communication and Processing. Cluj-Napoca, Romania:IEEE, 2015. 553-560
    [6] Queiroz C, Mahmood A, Tari Z. A probabilistic model to predict the survivability of SCADA systems. IEEE Transactions on Industrial Informatics, 2013, 9 (4):1975-1985 doi: 10.1109/TII.2012.2231419
    [7] Yoon M K, Ciocarlie G. Communication pattern monitoring:improving the utility of anomaly detection for industrial control systems. In:Proceedings of the 2014 NDSS Workshop on Security of Emerging Networking Technologies. San Diego, California, USA:The Internet Society, 2014.
    [8] Beaver J M, Borges-Hink R C, Buckner M A. An evaluation of machine learning methods to detect malicious SCADA communications. In:Proceedings of the 12th International Conference on Machine Learning and Applications. Florida, USA:IEEE, 2013. 54-59
    [9] Maglaras L A, Jiang J M. Intrusion detection in SCADA systems using machine learning techniques. In:Proceedings of the 2014 Science and Information Conference. London, England:IEEE, 2014. 626-631
    [10] Kroll B, Schaffranek D, Schriegel S, Niggemann O. System modeling based on machine learning for anomaly detection and predictive maintenance in industrial plants. In:Proceedings of the 2014 IEEE Emerging Technology and Factory Automation. Barcelona, Spain:IEEE, 2014. 1-7
    [11] Stefanidis K, Voyiatzis A G. An HMM-based anomaly detection approach for SCADA systems. Information Security Theory and Practice. Cham:Springer-Verlag, 2016. 85-99
    [12] Shang W L, Zeng P, Wan M, Li L, An P F. Intrusion detection algorithm based on OCSVM in industrial control system. Security and Communication Networks, 2016, 9 (10):1040-1049 doi: 10.1002/sec.v9.10
    [13] Khalili A, Sami A. SysDetect:a systematic approach to critical state determination for industrial intrusion detection systems using Apriori algorithm. Journal of Process Control, 2015, 32:154-160 doi: 10.1016/j.jprocont.2015.04.005
    [14] Wang Y, Xu Z Y, Zhang J L, Xu L, Wang H P, Gu G F. SRID:state relation based intrusion detection for false data injection attacks in SCADA. Computer Security-ESORICS 2014. Cham:Springer-Verlag, 2014. 401-418
    [15] Fovino I N, Carcano A, De Lacheze Murel T, Trombetta A, Masera M. Modbus/DNP3 state-based intrusion detection system. In:Proceedings of the 24th IEEE International Conference on Advanced Information Networking and Applications. Perth, Australia:IEEE, 2010. 729-736
    [16] Genge B, Siaterlis C, Karopoulos G. Data fusion-base anomay detection in networked critical infrastructures. In:Proceedings of the 43rd Annual IEEE/IFIP Conference on Dependable Systems and Networks Workshop. Budapest, Hungary:IEEE, 2013. 1-8
    [17] Carcano A, Coletta A, Guglielmi M, Masera M, Fovino I N, Trombetta A. A multidimensional critical state analysis for detecting intrusions in SCADA systems. IEEE Transactions on Industrial Informatics, 2011, 7 (2):179-186 doi: 10.1109/TII.2010.2099234
    [18] Downs J J, Vogel E F. A plant-wide industrial process control problem. Computers and Chemical Engineering, 1993, 17 (3):245-255 doi: 10.1016/0098-1354(93)80018-I
    [19] Ricker N L. Tennessee Eastman challenge archive[Online], available:http://depts.washington.edu/control/LARRY/TE/download.html, May 31, 2017
    [20] Ricker N L. Decentralized control of the Tennessee Eastman challenge process. Journal of Process Control, 1996, 6 (4):205-221 doi: 10.1016/0959-1524(96)00031-5
  • 加载中
图(15) / 表(6)
计量
  • 文章访问数:  1954
  • HTML全文浏览量:  322
  • PDF下载量:  710
  • 被引次数: 0
出版历程
  • 收稿日期:  2016-12-22
  • 录用日期:  2017-05-22
  • 刊出日期:  2018-09-20

目录

    /

    返回文章
    返回