面向工控领域APT攻击威胁智能感知技术研究
发布时间:2019-04-24 21:48
【摘要】:近年来,APT攻击席卷全球,面向工控领域的APT攻击直接对关系国计民生的关键基础设施进行破坏。自2010年伊朗布什尔核电站遭到震网病毒的攻击以来,针对工业控制领域的APT攻击已经成为各个国家安全机构、工业控制行业和该领域专家学者的关注热点。结合典型“震网病毒”案例的攻击特点和现有工控领域安全的文献研究,本文主要关注工业控制领域ICS系统特有的攻击类型:在网络通信数据包格式完全正常的情况下,仍会出现基于顺序或基于时间的序列攻击。本文提出一个基于离散马尔科夫链的层次化的时序感知入侵检测系统,分为数据处理和入侵检测两部分。数据处理部分使用Snort入侵检测软件,对基于Modbus协议的工控网络数据进行捕获并过滤,将过滤后的数据根据Modbus协议数据特性进行提取,结合马尔科夫链将提取后的数据抽象为状态和跳转关系,建立马尔科夫模型。在入侵检测部分,本文首先针对ICS系统特有的基于顺序和基于时间的序列攻击进行分类,并根据需要检测的类别提出异常检测算法。根据ICS系统控制网络中数据特点,在数据重要性、数据语义和数据规律三个方面,对异常检测算法进行改进,使入侵检测系统的误报率明显降低且能够区分入侵行为和可疑的安全行为。最后,本文通过实验室搭建的ICS系统模拟环境对本文提出的序列感知入侵检测系统进行测试。结果显示,改进后的算法相比于改进前的算法能够有效降低误报率,且有更高的检测效率和精确度。
[Abstract]:In recent years, APT attacks all over the world, the industrial control field of APT attacks directly to the national economy and people's livelihood of the key infrastructure damage. Since the nuclear power plant in Bushehr, Iran was attacked by earthquake net virus in 2010, the APT attack in the field of industrial control has become the focus of attention of various national security agencies, industrial control industry and experts and scholars in this field. Combined with the attack characteristics of typical "earthquake net virus" cases and the existing literature research in the field of industrial control, this paper mainly focuses on the specific attack type of ICS system in the field of industrial control: under the condition that the packet format of network communication is completely normal, Sequence-based or time-based attacks will still occur. This paper presents a hierarchical temporal aware intrusion detection system based on discrete Markov chain, which is divided into two parts: data processing and intrusion detection. The data processing part uses Snort intrusion detection software to capture and filter the industrial control network data based on Modbus protocol, and extracts the filtered data according to the characteristics of Modbus protocol data. Combined with Markov chain, the extracted data is abstracted as state and jump relation, and Markov model is established. In the part of intrusion detection, this paper firstly classifies the sequence-based and time-based attacks of ICS system, and proposes an anomaly detection algorithm according to the categories of detection. According to the characteristics of data in the control network of ICS system, the algorithm of anomaly detection is improved in three aspects: data importance, data semantics and data regularity. The false positive rate of intrusion detection system is obviously reduced and the intrusion behavior and suspicious security behavior can be distinguished. Finally, this paper tests the sequence-aware intrusion detection system based on the simulation environment of ICS system built in the laboratory. The results show that the improved algorithm can effectively reduce the false positive rate, and has higher detection efficiency and accuracy than the improved algorithm.
【学位授予单位】:哈尔滨工程大学
【学位级别】:硕士
【学位授予年份】:2016
【分类号】:TP309
本文编号:2464817
[Abstract]:In recent years, APT attacks all over the world, the industrial control field of APT attacks directly to the national economy and people's livelihood of the key infrastructure damage. Since the nuclear power plant in Bushehr, Iran was attacked by earthquake net virus in 2010, the APT attack in the field of industrial control has become the focus of attention of various national security agencies, industrial control industry and experts and scholars in this field. Combined with the attack characteristics of typical "earthquake net virus" cases and the existing literature research in the field of industrial control, this paper mainly focuses on the specific attack type of ICS system in the field of industrial control: under the condition that the packet format of network communication is completely normal, Sequence-based or time-based attacks will still occur. This paper presents a hierarchical temporal aware intrusion detection system based on discrete Markov chain, which is divided into two parts: data processing and intrusion detection. The data processing part uses Snort intrusion detection software to capture and filter the industrial control network data based on Modbus protocol, and extracts the filtered data according to the characteristics of Modbus protocol data. Combined with Markov chain, the extracted data is abstracted as state and jump relation, and Markov model is established. In the part of intrusion detection, this paper firstly classifies the sequence-based and time-based attacks of ICS system, and proposes an anomaly detection algorithm according to the categories of detection. According to the characteristics of data in the control network of ICS system, the algorithm of anomaly detection is improved in three aspects: data importance, data semantics and data regularity. The false positive rate of intrusion detection system is obviously reduced and the intrusion behavior and suspicious security behavior can be distinguished. Finally, this paper tests the sequence-aware intrusion detection system based on the simulation environment of ICS system built in the laboratory. The results show that the improved algorithm can effectively reduce the false positive rate, and has higher detection efficiency and accuracy than the improved algorithm.
【学位授予单位】:哈尔滨工程大学
【学位级别】:硕士
【学位授予年份】:2016
【分类号】:TP309
【参考文献】
相关期刊论文 前3条
1 刘金;;工业控制网络防火墙协议防护模块测试研究[J];自动化应用;2015年04期
2 尚文利;张盛山;万明;曾鹏;;基于PSO-SVM的Modbus TCP通讯的异常检测方法[J];电子学报;2014年11期
3 郭强;;工控系统信息安全案例[J];信息安全与通信保密;2012年12期
相关硕士学位论文 前2条
1 高春梅;基于工业控制网络的流量异常检测[D];北京工业大学;2014年
2 洪飞龙;数据挖掘技术在入侵检测中的应用研究[D];西南交通大学;2005年
,本文编号:2464817
本文链接:https://www.wllwen.com/kejilunwen/ruanjiangongchenglunwen/2464817.html
