一种面向S7协议的工控系统入侵检测模型

doi:10.3969/j.issn.1671-1122.2019.11.002

信息网络安全 ›› 2019, Vol. 19 ›› Issue (11): 8-13.doi: 10.3969/j.issn.1671-1122.2019.11.002

一种面向S7协议的工控系统入侵检测模型

田峥, 李树(), 孙毅臻, 黎曦

国网湖南省电力有限公司信息通信分公司,湖南长沙 410000

收稿日期:2019-09-16 出版日期:2019-11-10 发布日期:2020-05-11
作者简介:
作者简介：田峥（1983—）,男,湖南,高级工程师,博士,主要研究方向为网络与信息安全;李树（1991—）,男,湖南,工程师,博士,主要研究方向为网络信息安全、无线信道建模;孙毅臻（1990—）,男,湖南,工程师,硕士,主要研究方向为网络安全、关键信息基础设施安全;黎曦（1982—）,女,湖南,高级工程师,硕士,主要研究方向为网络安全。

Industrial Control System Intrusion Detection Model Based on S7 Protocol

Zheng TIAN, Shu LI(), Yizhen SUN, Xi LI

State Grid Hunan Electric Power Company Limited Information and Communication Branch,Changsha Hunan 410000, China

Received:2019-09-16 Online:2019-11-10 Published:2020-05-11

摘要/Abstract

摘要：

随着“中国制造2025”战略的提出,工业控制网络和互联网技术的融合程度也越来越高,同时工业控制网络的封闭性在一定程度上被打破,使得工业控制网络安全问题日益严重。S7协议是德国西门子公司的私有协议,广泛应用于工控网络的通信过程中。文章提出一种基于深度解析和白名单自学习的工控复合入侵检测模型,该模型利用深度解析算法实现对S7协议包的解析,通过白名单自学习算法动态构建白名单,采用白名单检测和异常行为检测相结合的复合入侵检测方法来检测异常。实验证明,该方法能有效检测出工业控制网络中异常的S7协议包,在5000个/s的发包速率下检测精度可达到98.3%。

关键词: 协议解析, 入侵检测, 白名单自学习, S7协议

Abstract:

With the proposal of “made in China 2025” strategy, the integration of industrial control network and Internet technology is getting higher and higher. At the same time, the closeness of industrial control network has been broken to a certain extent, making the problem of industrial control network security increasingly serious. S7 protocol is a private protocol of Siemens company in Germany, which is widely used in the communication process of industrial control network. This paper proposes an industrial control composite intrusion detection model based on deep analysis and white list self-learning. The model uses deep analysis algorithm to realize the analysis of S7 data packets, dynamically builds a white list through white list self-learning algorithm, and uses the composite intrusion detection method of white list detection and abnormal behavior detection to detect anomalies. The experiments show that the method can effectively detect the abnormal S7 protocol packets in the industrial control network, and the detection accuracy can reach 98.3% at 5000/s packet rate.

Key words: protocol analysis, intrusion detection, white list self-learning, S7 protocol

中图分类号:

TP309

田峥, 李树, 孙毅臻, 黎曦. 一种面向S7协议的工控系统入侵检测模型[J]. 信息网络安全, 2019, 19(11): 8-13.

Zheng TIAN, Shu LI, Yizhen SUN, Xi LI. Industrial Control System Intrusion Detection Model Based on S7 Protocol[J]. Netinfo Security, 2019, 19(11): 8-13.

图/表 7

图1

图2

图3

图4

图5

表1

图6

参考文献 14

[1]	XIA Chunming, LIU Tao, WANG Huazhong, et al.Current Situation and Development Trend of Information Security in Industrial Control System[J]. Information Security and Technology, 2013, 4(2): 13-18.
	夏春明,刘涛,王华忠,等. 工业控制系统信息安全现状及发展趋势[J]. 网络空间安全,2013,4(2):13-18.
[2]	SADEGHI A R, WACHSMANN C, WAIDNER M.Security and Privacy Challenges in Industrial Internet of Things[C]//ACM. 2015 52nd Annual Design Automation Conference, June 7 - 11, 2015, San Francisco, California. New York: ACM, 2015: 1-6.
[3]	DRIAS Z, SERHROUCHNI A, VOGEL O.Analysis of Cyber Security for Industrial Control Systems[C]//IEEE. 2015 International Conference on Cyber Security of Smart Cities, Industrial Control System and Communications, August 5-7, 2015, Shanghai, China. NJ: IEEE, 2015: 1-8.
[4]	MARCO C, EMMANUELE Z, FRANK K.Sequence-aware Intrusion Detection in Industrial Control Systems[C]//ACM. The 1st ACM Workshop on Cyber-Physical System Security, March 14-April 14, 2015, Singapore. New York: ACM, 2015: 13-24.
[5]	PONOMAREV S, ATKISON T.Industrial Control System Network Intrusion Detection by Telemetry Analysis[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 13(2): 252-260.
[6]	TRIVEDI M.Toward Autonomic Security for Industrial Control Systems[D]. Starkville: Mississippi State University, 2015.
[7]	VASILOMANOLAKIS E, SRINIVASA S, CORDERO C G, et al.Multi-stage Attack Detection and Signature Generation with ICS Honeypots[C]//IEEE. 2016 IEEE/IFIP Network Operations and Management Symposium, April 25-29, 2016, Istanbul, Turkey. NJ: IEEE, 2016: 1227-1232.
[8]	PONOMAREV S, ATKISON T.Session Duration Based Feature Extraction for Network Intrusion Detection in Control System Networks[C]//IEEE. 2016 International Conference on Computational Science and Computational Intelligence, December 15-17, 2016. Las Vegas, NV, USA. NJ: IEEE, 2016: 892-896.
[9]	DUNLAP S, BUTTS J, LOPEZ J, et al.Using Timing-based Side Channels for Anomaly Detection in Industrial Control Systems[J]. International Journal of Critical Infrastructure Protection, 2016, 15: 12-26.
[10]	MUTHA A, TUTEJA M R R. Secure and Efficient Approach for Multilayer Cyber Security Based on Intrusion Detection System[J]. International Journal of Advent Research in Computer and Electronics, 2015, 2(2): 33-37.
[11]	GAI Keke, QIU Meikang, TAO Lixin, et al.Intrusion Detection Techniques for Mobile Cloud Computing in Heterogeneous 5G[J]. Security and Communication Networks, 2016, 9(16): 3049-3058.
[12]	VINAYAKUMAR R, SOMAN K P, VELAN K K S, et al. Evaluating Shallow and Deep Networks for Ransomware Detection and Classification[C]//IEEE. Sixth International Conference on Advances in Computing, Communications and Informatics(ICACCI-2017), September 13-16, 2017, Manipal, India. NJ: IEEE, 2017: 1282-1289.
[13]	CASELLI M, ZAMBON E, AMANN J, et al.Specification Mining for Intrusion Detection in Networked Control Systems[C]//USENIX Association. Proceedings of the 25th USENIX Security Symposium, August 10-12, 2016, Austin, United States. Austin: USENIX, 2016: 791-806.
[14]	KWON Y J, KIM H K, YONG H L, et al.A Behavior-based Intrusion Detection Technique for Smart Grid Infrastructure[C]//PowerTech. 2015 IEEE Eindhoven PowerTech, June 29 - July 2, 2015, Eindhoven, Netherlands. NJ: IEEE, 2015: 1-6.

异常类型	异常描述	白名单检测结果	异常行为检测
格式异常	非法IP	告警	未检测
格式异常	非法长度	告警	未检测
格式异常	非法端口号	告警	未检测
格式异常	非法协议类型	告警	未检测
格式异常	非法函数字段	告警	未检测
格式异常	非法地址字段	告警	未检测
格式异常	非法数据字段	告警	未检测
格式异常	非法文件名字段	告警	未检测
行为异常	高频响应	未告警	告警
行为异常	PLC异常关闭时间	未告警	告警
正常	COTP 连接包	未告警	未告警
正常	S7 正常数据包	未告警	未告警

[1]	王蓉, 马春光, 武朋. 基于联邦学习和卷积神经网络的入侵检测方法[J]. 信息网络安全, 2020, 20(4): 47-54.
[2]	罗文华, 许彩滇. 基于改进MajorClust聚类的网络入侵行为检测[J]. 信息网络安全, 2020, 20(2): 14-21.
[3]	康健, 王杰, 李正旭, 张光妲. 物联网中一种基于多种特征提取策略的入侵检测模型[J]. 信息网络安全, 2019, 19(9): 21-25.
[4]	冯文英, 郭晓博, 何原野, 薛聪. 基于前馈神经网络的入侵检测模型[J]. 信息网络安全, 2019, 19(9): 101-105.
[5]	饶绪黎, 徐彭娜, 陈志德, 许力. 基于不完全信息的深度学习网络入侵检测[J]. 信息网络安全, 2019, 19(6): 53-60.
[6]	刘敬浩, 毛思平, 付晓梅. 基于ICA算法与深度神经网络的入侵检测模型[J]. 信息网络安全, 2019, 19(3): 1-10.
[7]	陈虹, 肖越, 肖成龙, 陈建虎. 融合最大相异系数密度的SMOTE算法的入侵检测方法[J]. 信息网络安全, 2019, 19(3): 61-71.
[8]	张阳, 姚原岗. 基于Xgboost算法的网络入侵检测研究[J]. 信息网络安全, 2018, 18(9): 102-105.
[9]	张戈琳, 李勇. 非负矩阵分解算法优化及其在入侵检测中的应用[J]. 信息网络安全, 2018, 18(8): 73-78.
[10]	魏书宁, 陈幸如, 焦永, 王进. AR-OSELM算法在网络入侵检测中的应用研究[J]. 信息网络安全, 2018, 18(6): 1-6.
[11]	和湘, 刘晟, 姜吉国. 基于机器学习的入侵检测方法对比研究[J]. 信息网络安全, 2018, 18(5): 1-11.
[12]	刘超玲, 张棪, 杨慧然, 吴宏晶. 基于DPDK的虚拟化网络入侵防御系统设计与实现[J]. 信息网络安全, 2018, 18(5): 41-51.
[13]	陈红松, 王钢, 宋建林. 基于云计算入侵检测数据集的内网用户异常行为分类算法研究[J]. 信息网络安全, 2018, 18(3): 1-7.
[14]	翟继强, 肖亚军, 杨海陆, 王健. 改进的人工蜂群结合优化的随机森林的U2R攻击检测研究[J]. 信息网络安全, 2018, 18(12): 38-45.
[15]	赵旭, 黄光球, 崔艳鹏, 王明明. 基于改进选择算子的NIDS多媒体包多线程择危处理模型[J]. 信息网络安全, 2018, 18(10): 45-50.

一种面向S7协议的工控系统入侵检测模型

Industrial Control System Intrusion Detection Model Based on S7 Protocol

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 14

相关文章 15

编辑推荐

Metrics

本文评价