基于流量特征指纹的工控系统网络入侵检测

Network intrusion detection of industrial control system based on traffic characteristic fingerprint

对于工控系统网络入侵检测,目前主要从网络特性和入侵特性的角度来分析其特征,以达到检测网络入侵的目的.提出了一种基于工控系统流量特征指纹库的网络入侵检测方法,从工控系统的角度,采用分层分析法建立系统网络流量特征指纹库,同时建立实时流量特征库匹配模型,实现了网络入侵行为的检测和入侵信息的定位.通过分析工控系统的组成以及系统中设备的相关网络行为特征,采用分层分析法构建了以协议类别、流量大小、设备协议配置和协议数据内容组成的网络流量特征指纹库.当工控系统网络中出现入侵行为时,匹配模型能根据流量特征库有效辨别入侵并定位出网络中与入侵相关的信息.最后,以变电站工控系统为例搭建了仿真平台,通过模拟变电站系统间隔层网络中出现数据伪装入侵,实现了对变电站工控系统入侵行为的检测和入侵信息的定位.

At present, for intrusion detection of the industrial network system, it is mainly from the perspective of network characteristics and intrusion characteristics to analyze its characteristics;in order to achieve the purpose of detecting network intrusion. This paper presents a network intrusion detection method based on the flow characteristic fingerprint database of industrial control system. From the view of industrial control system, a hierarchical analysis method is used to establish the characteristic fingerprint database of the system network traffic. Meanwhile, the matching model of real-time traffic feature database is built to realize the detection of network intrusion behavior and the location of intrusion information. Through analysing the features of network behavior of composition of industrial control system and industrial control equipment, using hierarchical analysis method constructs network traffic fingerprint database with the agreement category, flow size, equipment protocol and protocol data content. When an intrusion occurs in the industrial control system network, the matching model can effectively identify the intrusion and locate the information associated with the intrusion in the network according to the traffic characteristic database. Finally, this paper takes the substation industrial system as an example to build a simulation platform by simulating substation system interlayer in the network intrusion data, to realize the location of the substation control system of intrusion detection and intrusion information.