基于规则匹配的分布式工控入侵检测系统设计与实现

doi:10.3969/j.issn.1671-1122.2017.07.007

信息网络安全 ›› 2017, Vol. 17 ›› Issue (7): 45-51.doi: 10.3969/j.issn.1671-1122.2017.07.007

基于规则匹配的分布式工控入侵检测系统设计与实现

程冬梅¹, 严彪^2,³, 文辉³(), 孙利民^2,³

1.中国人民解放军第305医院信息中心,北京 100017
2.中国科学院大学,北京 100049
3.中国科学院信息工程研究所,北京 100093

收稿日期:2017-05-15 出版日期:2017-07-20 发布日期:2020-05-12
作者简介:
作者简介：程冬梅（1964—）,女,北京,高级工程师,主要研究方向为信息处理、物联网安全、工业控制系统安全;严彪（1992—）,男,湖北,硕士研究生,主要研究方向为物联网安全、工业控制系统安全;文辉（1986—）,男,北京,助理研究员,博士,主要研究方向为物联网安全、工业控制系统安全、数据挖掘;孙利民（1966—）,男,北京,研究员,博士,主要研究方向为物联网安全、工业控制系统安全、无线传感网。
基金资助:
国家重点研发计划[2016YFC1202204];中国科学院国防科技创新基金项目[CXJJ-16Z234];北京市科委项目[Z161100002616032];高动态导航技术北京市重点实验室开放课题[HDN2017102]

The Design and Implement of Rule Matching-based Distributed Intrusion Detection Framework for Industry Control System

Dongmei CHENG¹, Biao YAN^2,³, Hui WEN³(), Limin SUN^2,³

1. Information Center of the 305 Hospital of Chinese People’s Liberation Army, Beijing 100017, China;
2. University of Chinese Academy of Sciences, Beijing 100049, China
3. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China

Received:2017-05-15 Online:2017-07-20 Published:2020-05-12

摘要/Abstract

摘要：

文章设计了一种基于规则匹配的分布式入侵检测系统（RDIDS）,提出了基于规则匹配的入侵检测策略,通过定义网络连接白名单来检测未经授权的非法访问连接,自主分析流量特征并学习相应的判别规则来检测异常的流量变化,提取常态状态下的工控操作功能码序列组成操作规则来判断异常的工控操作,实现对工控系统在网络流量、协议内容、设备操作、设备状态和外部物理感知的全面监测。文章利用各种类型的工控软硬件设备搭建小型工控网络,并在此仿真环境下进行验证及测试,证明RDIDS系统架构及方法具备显著的检测性能。

关键词: 工业控制系统, 入侵检测系统, 分布式系统, 规则匹配

Abstract:

This paper proposed a rule-based distributed intrusion detection system (RDIDS) framework to reduce the impact of traditional industrial control system problems. Furthermore, RDIDS construct a set of rules that contains network status, traffic and industrial operation for intrusion detection. The network status rules that defined by operator can detect unauthorized access for protecting the safety of physical system from information disclosure. The traffic rules learned from the analysis of traffic characteristics can detect abnormal network data flow. The industrial operation rules extracted from the industrial operating sequence can detect abnormal industrial operation. Finally, an industrial control system was built for validation, which contains several hardware or software. The experimental results that conduct on the simulation of industrial control system show that our system have a considerable performance.

Key words: industrial control system, intrusion detection system, distributed system, rule matching

中图分类号:

TP309.1

程冬梅, 严彪, 文辉, 孙利民. 基于规则匹配的分布式工控入侵检测系统设计与实现[J]. 信息网络安全, 2017, 17(7): 45-51.

Dongmei CHENG, Biao YAN, Hui WEN, Limin SUN. The Design and Implement of Rule Matching-based Distributed Intrusion Detection Framework for Industry Control System[J]. Netinfo Security, 2017, 17(7): 45-51.

图/表 7

图1

图2

图3

图 4

表 1

表 2

表 3

参考文献 17

[1]	STOUFFER K A,FACLO J A,SCARFONE K A.Guide to Industrial Control Systems (ICS) Security - Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) [R]. Gaithersburg, Maryland, USA: National Institute of Standards and Technology (NIST), NIST SP - 800-82,2011.
[2]	PENG Y,JIANG C Q,XIE F,et al.Industrial Control System Cybersecurity Research[J]. Journal of Tsinghua University: Science and Technology, 2012, 52(10):1396-1408.
[3]	KNAPP E.Industrial Network Security—Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems [M]. Translated by Zhou Qin, Guo Bingyi, He Huimin, et al. Beijing: National Defense Industry Press, 2014.
[4]	Office of the Press Secretary,The White House. Presidential Policy Directive -- Critical Infrastructure Security and Resilience [EB/OL]. https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil,2013-2-12.
[5]	Industrial Control Systems Cyber Emergency Response Team. ICS-CERT Year in Review2013, 13-50369[EB/OL].
[6]	LIND O, MANIC M, VOLLMER T, et al.Fuzzy Logic Based Anomaly Detection for Embedded Network Security Cyber Sensor[C]//IEEE.Proc of IEEE Symp on Computational Intelligence in Cyber Security,April 11-15, 2011,Paris, France. NJ: IEEE, 2011:202-209.
[7]	STAVROULAKIS P, STAMP M.Handbook of Information and Communication Security[M]. Berlin: Springer, 2010.
[8]	MITCHELL R, CHEN I R.A Survey of Intrusion Detection Techniques for Cyber Physical Systems[J]. ACM Computing Survey, 2014, 46(4):55-84.
[9]	PAN S Y, MORRIS T H, ADHIKARI U, et al.Causal Event Graphs Cyber-Physical System Intrusion Detection System[C]// ACM. CSIIRW '13 Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop,January 8-10, 2013,Oak Ridge, Tennessee, USA. New York: ACM, 2013:40.
[10]	MORRIS T, VAUGHN R, DANDASS Y.A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems[C]// IEEE. HICSS '12 Proceedings of the 2012 45th Hawaii International Conference on System Sciences,January 4-7, 2012,Maui, HI, USA. Piscataway, NJ: IEEE, 2012: 2338-2345.
[11]	LIN H,SLAGELL A,MARTINO C D, et al.Adapting Bro into SCADA: Building a Specification-based Intrusion Detection System for the DNP3 Protocol[C]// ACM. CSIIRW '13 Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop. New York: ACM, 2013:1-4.
[12]	GOETZ E,SHENOI S.Critical Infrastructure Protection[M].Boston: Springer, 2008:161-173.
[13]	YANG D Y, USYNIN A, HINES J W. Anomaly-based Intrusion Detection for SCADA Systems[EB/OL]. https://www.researchgate.net/publication/228595190_Anomaly-based_intrusion_detection_for_SCADA_systems,2015-6-24.
[14]	MORRIS T, VAUGHN R, DANDASS Y.A Retrofit Network Intrusion Detection System for MODBUS RTU and ASCII Industrial Control Systems[C]// IEEE. HICSS '12 Proceedings of the 2012 45th Hawaii International Conference on System Sciences,January 4 - 7, 2012,Maui, HI, USA. Piscataway, NJ: IEEE, 2012: 2338-2345.
[15]	陈晓兵,陈凯,徐震,等. 面向工业控制网络的安全监管方案[J]. 信息网络安全,2016(7):61-70.
[16]	YANG Y, MCLAUGHLIN K,LITTLER T,et al. Intrusion Detection System for IEC 60870-5-104 Based SCADA Networks [EB/OL]// https://www.researchgate.net/publication/259802840_Intrusion_Detection_System_for_IEC_60870-5-104_based_SCADA_networks,2013-7-15.
[17]	王友俊,张红旗,王津,等. 面向任务的网络空间故障定位模型[J]. 信息网络安全,2017(4):61-70.

基于规则匹配的分布式工控入侵检测系统设计与实现

The Design and Implement of Rule Matching-based Distributed Intrusion Detection Framework for Industry Control System

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 17

相关文章 15

编辑推荐

Metrics

本文评价

[1]	郑敏, 王虹, 刘洪, 谭冲. 区块链共识算法研究综述[J]. 信息网络安全, 2019, 19(7): 8-24.
[2]	尚文利, 尹隆, 刘贤达, 赵剑明. 工业控制系统安全可信环境构建技术及应用[J]. 信息网络安全, 2019, 19(6): 1-10.
[3]	尚文利, 张修乐, 刘贤达, 尹隆. 工控网络局域可信计算环境构建方法与验证[J]. 信息网络安全, 2019, 19(4): 1-10.
[4]	陈瑞滢, 陈泽茂, 王浩. 工业控制系统安全监控协议的设计与优化研究[J]. 信息网络安全, 2019, 19(2): 60-69.
[5]	吕宗平, 丁磊, 隋翯, 顾兆军. 基于时间自动机的工业控制系统网络安全风险分析[J]. 信息网络安全, 2019, 19(11): 71-81.
[6]	刘敬浩, 平鉴川, 付晓梅. 一种基于区块链的分布式公钥管理方案研究[J]. 信息网络安全, 2018, 18(8): 25-33.
[7]	耿欣. 烟草企业工业控制系统安全保障体系研究[J]. 信息网络安全, 2017, 17(9): 34-37.
[8]	王昱镔, 陈思, 程楠. 工业控制系统信息安全防护研究[J]. 信息网络安全, 2016, 16(9): 35-39.
[9]	宋国江, 肖荣华, 晏培. 工业控制系统中PLC面临的网络空间安全威胁[J]. 信息网络安全, 2016, 16(9): 228-233.
[10]	彭昆仑, 彭伟, 王东霞, 邢倩倩. 信息物理融合系统安全问题研究综述[J]. 信息网络安全, 2016, 16(7): 20-28.
[11]	史婷婷, 赵有健. 网络入侵逃逸及其防御和检测技术综述[J]. 信息网络安全, 2016, 16(1): 70-74.
[12]	周益周, 王斌, 谢小权. 云环境下软件定义入侵检测系统设计[J]. 信息网络安全, 2015, 15(9): 191-195.
[13]	王小山, 杨安, 石志强, 孙利民. 工业控制系统信息安全新趋势[J]. 信息网络安全, 2015, 15(1): 6-11.
[14]	程骏路, 杨阳, 秦鹏宇, 程久军. 基于云查杀技术的轻量级局域网信息保护机制研究[J]. 信息网络安全, 2015, 15(1): 56-60.
[15]	王琦魁，李昕，赵甫. 工控系统信息安全与加工网络防护方案研究[J]. 信息网络安全, 2014, 14(9): 120-122.