基于加权SVM的工业控制网络入侵检测算法研究

发布时间：2018-04-28 06:18

本文选题：工业控制网络 + 入侵检测　；参考：《沈阳理工大学》2017年硕士论文

【摘要】：随着信息技术与功能需求的发展,工业控制系统越来越多地与企业网和互联网相连接,形成了一个开放式的网络环境。工控系统网络化发展导致了系统安全风险和入侵威胁不断增加,面临的网络安全问题也更加突出。由于工控网络系统环境的特殊性,传统的IT信息安全技术不能直接应用于工业控制网络的安全防护。本文根据工业控制网络安全的需求特性,对工控系统的入侵检测技术进行研究,建立基于加权支持向量机算法的异常行为检测模型,以提高对攻击操作的检测性能。本文以Modbus/TCP工控网络为研究对象,首先分析了Modbus/TCP工控网络结构和通信协议的安全性,并根据工业通信行为特性和通信协议规约,提出了基于异常行为操作模式的入侵检测特征提取方法,包括直接选择协议数据特征和构造反映行为模式差异的连续性流量数据特征,该方法提取的流量数据特征能够充分应用于对通信行为的检测判别,但可能存在冗余的检测特征。由于冗余的流量数据信息不但影响了工控网络通信的实时性,也降低了对异常行为的检测率,本文利用粗糙集理论(RST)算法对检测特征进行属性约简,以去除对异常攻击检测无用和干扰的信息,降低入侵检测模型的复杂度和检测时间,提高实际的入侵检测系统应用能力。由于工控网络正常样本的数据远多于异常样本,传统支持向量机算法不能解决由训练数据样本类别之间的差异造成的影响,使得分类错误率倾向于小样本类型数据,即小样本类别的数据分类错误率高。本文利用加权支持向量机算法建立通信行为的检测模型,通过对数据类和数据样本的加权处理,减小不同的样本类别对支持向量机算法性能的影响,提高入侵检测算法的适应性。针对支持向量机检测模型训练时间长、检测率低的问题,本文采用改进的PSO算法对模型参数进行优化,通过调整惯性权重提高PSO寻优算法的全局最优性和加快收敛速率,在经过检测模型参数优化处理,不仅提高了对通信行为的检测率,同时降低了误报率和漏报率,进一步地增强了系统的安全防御能力,以满足工控网络入侵检测高效性和实时性的要求。在对Modbus/TCP工控网络安全分析和建立入侵检测模型的基础上,搭建了实际的工控网络系统环境,进一步地对所提出的方法进行验证分析。通过提取通信流量数据,建立入侵检测模型所需的训练和测试数据集,并进行仿真实验。研究表明,基于加权支持向量机算法的入侵检测模型有效提高了对异常攻击行为的检测能力,对增强工控网络安全具有重要的意义。
[Abstract]:With the development of information technology and function demand, the industrial control system is more and more connected with the enterprise network and the Internet, forming an open network environment. The network development of industrial control system leads to the increasing security risk and invasion of the system, and the problem of network security is also more prominent. The special nature of the environment, the traditional IT information security technology can not be directly applied to the safety protection of the industrial control network. Based on the demand characteristics of the industrial control network security, this paper studies the intrusion detection technology of the industrial control system, and establishes an abnormal behavior detection model based on the weighted support vector machine algorithm, in order to improve the attack operation. In this paper, the Modbus/TCP industrial control network is used as the research object. First, the security of the Modbus/TCP industrial control network structure and communication protocol is analyzed. According to the characteristics of the industrial communication behavior and the protocol specification, an intrusion detection feature extraction method based on abnormal behavior mode is proposed, including the direct selection of the data features of the protocol and the data characteristics of the protocol. The feature of continuous flow data, which reflects the difference of behavior pattern, can be fully applied to the detection and discrimination of the communication behavior, but there may be redundant detection features. The redundant traffic data not only affects the real-time performance of the network communication of the industrial control network, but also reduces the detection of abnormal behavior. In this paper, we use rough set theory (RST) algorithm to reduce the attribute of detection, in order to remove the information of unuseful and interference detection, reduce the complexity and detection time of the intrusion detection model, and improve the application ability of the actual intrusion detection system. The support vector machine algorithm can not solve the influence caused by the difference between the classes of the training data samples, making the classification error rate inclined to the small sample type data, that is, the error rate of the data classification of the small sample class is high. Weighted processing, reducing the impact of different sample classes on the performance of SVM algorithm and improving the adaptability of the intrusion detection algorithm. Aiming at the problem of long training time and low detection rate in support vector machine detection model, the improved PSO algorithm is used to optimize the model parameters, and the PSO optimization algorithm is improved by adjusting the inertia weight. The optimality of the Bureau and the speed of convergence, which not only improves the detection rate of the communication behavior, but also reduces the false alarm rate and the false alarm rate, and further enhances the system's security defense capability to meet the requirements of the high efficiency and real-time performance of the industrial control network intrusion detection. In the Modbus/TCP industrial control network security network. On the basis of the full analysis and establishment of the intrusion detection model, the actual industrial control network system environment is built, and the proposed method is verified and analyzed. The training and test data sets required for the intrusion detection model are established by extracting the traffic data, and the simulation experiment is carried out. The intrusion detection model of the law effectively improves the detection ability of abnormal attack behavior, and is of great significance for enhancing the safety of industrial control network.

【学位授予单位】：沈阳理工大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP393.08;TP273

【参考文献】