面向ICS的异常检测系统研究

发布时间：2018-05-14 07:23

本文选题：工业控制系统（ICS） + 信息安全　；参考：《重庆理工大学》2014年硕士论文

【摘要】：工业控制系统（Industrial Control System，ICS）是电力、冶金、化工、石油、天然气、水利、交通等关键基础设施的核心系统，其运行安全性直接关系到人民生命财产安全和国家战略安全。然而长期以来，ICS属于封闭的专有系统，与互联网处于“物理隔离”状态，其设计与实施目标主要注重系统的功能性、可用性、可测性和可控性。随着网络与信息技术的发展，尤其是互联网、云计算、物联网的广泛应用，ICS已逐渐开始从“封闭系统”变成了“开放系统”（如允许远程操控、允许与企业内部或产业链上的其他系统互联互通等）、从“专有技术系统”变成了“通用技术系统”（如采用Windows操作系统、TCP/IP协议等），致使ICS的安全形势日益严峻。ICS的信息安全形势已经引起了国家、政府机关、大型国有企业及高等院校的高度重视，已然成为近年来信息安全领域研究的热点。该文依据“上位机系统文件变更异常检测上下位机通信异常检测下位机数据异常检测”的逻辑主线展开深入研究。首先，对ICS的发展概况和信息安全现状进行了深入分析，分析了ICS现有的防护手段（工业防火墙技术）及其局限性，研究分析了当前主流的异常检测技术；其次，论文对ICS的体系结构进行了详细分析，将ICS系统分为“企业区”、“上位机区”、“下位机区”三个区域进行不同等级的安全防护。针对上位机区异常检测，论文研究了上位机系统文件变更异常检测技术，设计了文件变更异常检测的流程与方法；针对上下位机通信异常检测，该文着重研究了开源异常检测系统Snort及其规则，总结和设计了一套基于“工业现场总线协议——MODBUS协议”的Snort规则；针对ICS下位机的控制数据、通信协议、高实时性等特点，结合聚类的相关算法，提出了一种基于自适应聚类的离群点挖掘算法（ACBOD,AdaptiveClustering-Based Outlier Detection）。在以上研究基础上，采用ASP.NET工具，研制了面向ICS的异常检测原型系统，，该系统包括：上位机系统文件变更异常检测、上下位机通信异常检测、下位机数据异常检测等三个模块；最后，通过设计三组实验分别对原型系统进行了实验分析，实验结果论证了系统的有效性、正确性和实用性。
[Abstract]:Industrial Control system is the core system of electric power, metallurgy, chemical industry, petroleum, natural gas, water conservancy, transportation and so on. Its operation safety is directly related to the safety of people's life and property and national strategic safety. However, for a long time, CICS is a closed proprietary system, which is "physically isolated" from the Internet. Its design and implementation aim is to focus on the functionality, usability, testability and controllability of the system. With the development of network and information technology, especially the Internet of Internet, cloud computing, the extensive application of Internet of things (ICS) has gradually begun to change from "closed system" to "open system" (such as allowing remote manipulation, Allowing interconnection with other systems within the enterprise or in the industrial chain, etc., has changed from "proprietary technology systems" to "universal technology systems" (such as the adoption of the Windows operating system / TCP / IP protocol, etc.), resulting in an increasingly serious security situation for ICS. ICSs The information security situation in China has caused the country, Government agencies, large-scale state-owned enterprises and institutions of higher learning attach great importance to it, which has become a hot topic in the field of information security in recent years. Based on the logic thread of "abnormal detection of file change of upper and lower computer communication anomaly detection of upper and lower computer", this paper makes a deep research on the logic thread of "detecting abnormal data of upper and lower computer". Firstly, the development and information security of ICS are deeply analyzed, the existing protection means of ICS (industrial firewall technology) and its limitations are analyzed, and the current mainstream anomaly detection technology is analyzed. In this paper, the architecture of ICS is analyzed in detail, and the ICS system is divided into three areas: "enterprise area", "upper computer area" and "lower computer area" for different levels of security protection. Aiming at the anomaly detection of upper computer area, this paper studies the technology of file change anomaly detection in upper computer system, designs the flow and method of file change anomaly detection, and aims at the communication anomaly detection of upper and lower computers. This paper studies the open source anomaly detection system (Snort) and its rules, summarizes and designs a set of Snort rules based on "industrial fieldbus protocol-Modbus protocol", aiming at the control data, communication protocol and high real-time performance of ICS slave computer. In this paper, an adaptive clustering based outlier mining algorithm is proposed, which is based on the correlation algorithm of clustering, and the adaptive Clustering-Based Outlier detection algorithm is proposed. Based on the above research, an anomaly detection prototype system for ICS is developed by using ASP.NET tool. The system includes three modules: the file change anomaly detection of the upper computer system, the communication anomaly detection of the upper and lower computer, and the abnormal detection of the data of the lower computer. Finally, three groups of experiments are designed to analyze the prototype system, and the experimental results demonstrate the validity, correctness and practicability of the system.
【学位授予单位】：重庆理工大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】