摘要
为提高工业控制系统入侵检测的准确性,针对工业控制系统应用最广泛的Modbus协议缺陷,采用蜜罐技术将ModbusTCP协议数据包引入蜜罐系统中,研究其在蜜罐系统的活动记录,提取Modbus通信协议特征和蜜罐活动特征。采用核主成分分析法对非线性、高复杂度的Modbus通信行为进行特征优化;针对蜜罐系统中正负样本不平衡特点,采用加权SVM进行有效地精准分类。最后搭建仿真环境,利用Conpot蜜罐模拟工业控制系统场景,通过准确率、误报率和检测时间3个维度对检测方法进行对比。实验结果表明,该方法整体准确率达98.2%,可以应用于工控系统入侵检测,精确判别异常行为。
In order to improve the accuracy of industrial control system intrusion detection,aiming at the defects of the Modbus proto⁃col which is the most widely used,industrial control system,this article uses honeypot technology to introduce ModbusTCP protocol da⁃ta packets into the honeypot system studies its activity records in the honeypot system and extracts Modbus communication protocol characteristics and honeypot activity characteristics.The kernel principal component analysis method is used to optimize the nonlinear and high-complexity Modbus communication behaviors;weighted SVM is used to accurately and accurately classify the characteristics of the imbalance between the positive and negative samples in the honeypot system.Finally,a simulation environment is set up,and the industrial control system scene is simulated by using the Conpot honeypot.The detection methods are compared through three di⁃mensions,i.e.,accuracy,false alarm rate and detection time.Experimental results show that the overall accuracy of the method reach⁃es 98.2%,and the method can be applied to intrusion detection of industrial control systems to accurately discern abnormal behavior.
作者
张成
李永忠
ZHANG Cheng;LI Yong-zhong(School of Computer,Jiangsu University of Science and Technology,Zhenjiang 212003,China)
出处
《软件导刊》
2020年第11期202-205,共4页
Software Guide
关键词
ModbusTCP
蜜罐技术
核主成分分析
支持向量机
网络安全
工业控制
Modbus TCP
honeypot technology
kernel principal component analysis
support vector machine
network security
in⁃dustrial control
