工业控制系统高隐蔽性数据攻击防御方法研究

doi:10.3969/j.issn.1671-1122.2022.12.005

摘要/Abstract

摘要：

工业控制系统（Industrial Control System，ICS）是工业生产过程中的关键部分，攻击者发起同时攻击多台设备的数据，使系统更加紊乱。针对ICS中存在的数据攻击，文章改进基于过程感知的隐蔽性攻击检测（Process-Aware Stealthy-Attack Detection，PASAD）算法，提出适用于多变量环境的基于鲁棒主成分分析法和过程感知的隐蔽性攻击检测（Robust Principal Component Analysis and Process-Aware Stealthy-Attack Detection，RPCA-PASAD）算法。首先，文章利用皮尔逊相关系数将强相关性的数据划分为同一个集群，并将异常数据进行放大，通过RPCA对数据进行降维和去噪，将去噪后的数据嵌入汉克尔矩阵；然后，文章利用投影矩阵分析去噪后的数据间的内在联系，获得系统稳定状态数据的中心；最后，文章采用最小二乘法对数据进行量化获取判别数据是否异常的阈值。对田纳西-伊斯曼（Tenhessee-Eastman，TE）过程模型和水处理模型（Secure Water Treatment，SWaT）进行了仿真测试，实验结果表明，文章所提检测算法适用于多变量数据攻击的检测环境，对隐蔽性数据攻击检测实时性较强，误报率较低，可以有效地部署在数据采集与监视控制（Supervisory Control and Data Acquisition，SCADA）系统主机和可编程逻辑控制器（Programmable Logic Controller，PLC）中，对实际生产生活中减少ICS的损失具有重要意义。

关键词: 工业控制系统, 异常检测, 隐蔽性数据攻击

Abstract:

Industrial control systems (ICS) is the key infrastructure in the industrial production process. Attackers attack multiple devices at the same time. This kind of data attack can aggravate the disorder of the system. In view of the data attacks in industrial control systems, this paper improved the process-aware stealthy-attack detection mechanism (PASAD), and proposed a robust principal component analysis and process-aware hidden attack detection algorithm(RPCA-PASAD) suitable for multivariate environments. Firstly, this paper used pearson correlation coefficient to divide the strongly correlated data into the same cluster, and magnifies the abnormal data. In this paper, RPCA was used to reduce and de-noise the data, and the de-noised data was embedded into the Hankel matrix. Secondly, this paper used the properties of the projection matrix to analyze the internal relationship between the denoised data to obtain the center of the system’s steady state data. At last, this paper used the least squares method to quantify the data and obtain the threshold for judging whether the data was abnormal. Simulation tests are carried out with the tennessee eastman (TE) process model and the secure water treatment (SWaT) model. The experimental results show that the detection algorithm in this paper is suitable for multivariate malicious data attack detection environment. The impact of the results has a strong real-time detection of hidden data attacks and a low false alarm rate, and can be efficiently deployed in the supervisory control and data acquisition (SCADA) host and programmable logic controller (PLC). It is of great significance for industrial control systems to reduce losses in production and life.

Key words: industrial control system, anomaly detection, hidden data attack

中图分类号:

TP309

徐茹枝, 吕畅冉, 龙燕, 刘远彬. 工业控制系统高隐蔽性数据攻击防御方法研究[J]. 信息网络安全, 2022, 22(12): 34-46.

XU Ruzhi, LYU Changran, LONG Yan, LIU Yuanbin. Defense Research of High-Hidden Data Attack in Industry Control System[J]. Netinfo Security, 2022, 22(12): 34-46.

图/表 14

图1

表1

图2

图3

图4

图5

图6

图7

图8

图9

图10

图11

表2

图12

参考文献 19

[1]	LIU Weidi, GUO Qiaojin, CHAN Yuandong, et al. Review of Industrial Control System Security Development[J]. Information Research, 2021, 47(1): 1-9.
	刘蔚棣, 郭乔进, 产院东, 等. 工业控制系统安全发展综述[J]. 信息化研究, 2021, 47(1):1-9.
[2]	FAN Kefeng, ZHOU Ruikang, LI Lin. Research on Information Security Standard System of Industrial Control System[J]. Information Technology & Standardization, 2016(6): 17-21.
	范科峰, 周睿康, 李琳. 工业控制系统信息安全标准体系研究[J]. 信息技术与标准化, 2016(6): 17-21.
[3]	MASOOD Z, RAJA M A Z, CHAUDHARY N I, et al. Fractional Dynamics of Stuxnet Virus Propagation in Industrial Control Systems[J]. Mathematics, 2021, 9(17): 1-27. doi: 10.3390/math9010001 URL
[4]	AOUDI W, ITURBE M, ALMGREN M. Truth will Out: Departure-Based Process-Level Detection of Stealthy Attacks on Control Systems[C]// ACM. Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2018: 817-831.
[5]	AOUDI W, ALMGREN M. A Framework for Determining Robust Context-Aware Attack-Detection Thresholds for Cyber-Physical Systems[C]// ACM. 2021 Australasian Computer Science Week Multiconference. New York: ACM, 2021: 1-6.
[6]	WAGHMARE S, KAZI F, SINGH N. Data Driven Approach to Attack Detection in a Cyber-Physical Smart Grid System[C]// IEEE. 2017 Indian Control Conference (ICC). New York: IEEE, 2017: 271-276.
[7]	LIU Dalong. Modeling and Detection of Sinusoidal Attack in Industrial Control System Based on MSPCA and its Improved Algorithm[D]. Hangzhou: Zhejiang University, 2018.
	刘大龙. 基于MSPCA及其改进算法的工控系统正弦攻击建模与检测研究[D]. 杭州: 浙江大学, 2018.
[8]	KAVOUSI-FARD A, SU W, JIN T. A Machine-Learning-Based Cyber Attack Detection Model for Wireless Sensor Networks in Microgrids[J]. IEEE Transactions on Industrial Informatics, 2020, 17(1): 650-658. doi: 10.1109/TII.2020.2964704 URL
[9]	CANDES E J, LI Xiaodong, MA Yi, et al. Robust Principal Component Analysis?[J]. Journal of the ACM (JACM), 2011, 58(3): 1-37.
[10]	JIN Lin, LI Yan. Analysis of Several Correlation Coefficients and Their Implementation in R language[J]. Statistics & Information Forum, 2019, 34(4): 3-11.
	金林, 李研. 几种相关系数辨析及其在R语言中的实现[J]. 统计与信息论坛, 2019, 34(4):3-11.
[11]	DOWNS J J, VOGEL E F. A Plant-Wide Industrial Process Control Problem[J]. Computers & Chemical Engineering, 1993, 17(3): 245-255. doi: 10.1016/0098-1354(93)80018-I URL
[12]	LIU De, WANG Xianshang. On-Line Identification State-Space Method of Multivariable System[J]. Systems Engineering, 1989(6): 59-63.
	刘德, 王先上. 多变量线性系统的在线辨识[J]. 系统工程, 1989(6):59-63.
[13]	YANG Yimin. The Modified Form of Weiszfeld’s Algorithm[J]. Journal on Numerical Methods and Computer Applications, 1993(4): 287-294. doi: 10.12288/szjs.1993.4.287
	杨益民. 修正的Weiszfeld算法[J]. 数值计算与计算机应用, 1993(4):287-294. doi: 10.12288/szjs.1993.4.287
[14]	GOH J, ADEPU S, JUNEJO K N, et al. A Dataset to Support Research in the Design of Secure Water Treatment Systems[C]// Springer. International Conference on Critical Information Infrastructures Security. Heidelberg: Springer, 2016: 88-99.
[15]	DUTTA A K, MUKHOTY B, SHUKLA S K. CatchAll: A Robust Multivariate Intrusion Detection System for Cyber-Physical Systems Using Low Rank Matrix[C]// ACM.Proceedings of the 2th Workshop on CPS&IoT Security and Privacy. New York: ACM, 2021: 47-56.
[16]	KU Wenfu, STORER R H, GEORGAKIS C. Disturbance Detection and Isolation by Dynamic Principal Component Analysis[J]. Chemometrics and Intelligent Laboratory Systems, 1995, 30(1): 179-196. doi: 10.1016/0169-7439(95)00076-3 URL
[17]	MALHOTRA P, RAMAKRISHNAN A, ANAND G, et al. LSTM-Based Encoder-Decoder for Multi-Sensor Anomaly Detection[EB/OL]. [2022-06-03]. https://arxiv.org/pdf/1607.00148.pdf.
[18]	INOUE J, YAMAGATA Y, CHEN Yuqi, et al. Anomaly Detection for a Water Treatment System Using Unsupervised Machine Learning[C]// IEEE. 2017 IEEE International Conference on Data Mining Workshops (ICDMW). New York: IEEE, 2017: 1058-1065.
[19]	ZHOU Chong, PAFFENROTH R C. Anomaly Detection with Robust Deep Autoencoders[C]// ACM. Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York: ACM, 2017: 665-674.

相关系数绝对值	相关性关系
0.0~0.1	数据间不存在相关关系
0.1~0.3	数据间存在弱相关关系
0.3~0.5	数据间存在中度相关关系
0.5~1.0	数据间存在强相关关系

	Attack	Normal
预测为Attack	TP	FP
预测为Normal	FN	TN