基于贝叶斯网络EM算法模型的工控蜜罐识别

Industrial Control Honeypot Recognition Based on Bayesian Network EM Algorithm Model

随着工控设备越来越多暴露于互联网,面临的安全威胁不断增加,主动防御已经成为一种必要的防御手段,蜜罐技术是一种有效的主动防御技术。攻击者为了攻击真实的资产设备,研究人员开始研究识别蜜罐的方法。对蜜罐进行准确识别涉及到许多不确定性因素。贝叶斯网络用于解决不确定性问题,与蜜罐识别问题相符合。基于蜜罐识别与贝叶斯网络的特点,提出了贝叶斯网络参数学习EM算法模型的工控蜜罐识别方法。首先,介绍了贝叶斯网络的理论基础及贝叶斯网络用于蜜罐识别的优势;接着,描述参数建模所用算法及预测推理算法,完成用于识别蜜罐的贝叶斯网络模型;最后,通过与SVM、KNN、随机森林和Native bayes算法作对比实验,验证所采用贝叶斯网络EM算法训练模型的性能更优,该模型借助贝叶斯联结树推理算法来完成预测识别,通过实例分析进行验证。实验结果表明,用EM算法训练的模型对于识别蜜罐是有效的。

As more and more industrial control equipment are exposed to the Internet,the security threats are increasing.Active defense has become a necessary defense method,and honeypot technology is an effective active defense technology.In order to attack the real asset equipment,the researchers have began to study the method of identifying the honeypot.Accurate identification of honeypot involves many uncertainties factors.Bayesian network is used to solve the uncertainty problem,which is consistent with the honeypot identification problem.Based on the characteristics of honeypot recognition and Bayesian network,we propose an industrial control honeypot recognition method based on Bayesian network parameter learning EM algorithm model.Firstly,the theoretical basis of Bayesian networks and the advantages of Bayesian networks for honeypot identification are introduced.Then,the algorithms used in parameter modeling and predictive inference algorithms are described,and the Bayesian network model for honeypot identification is completed.Finally,by comparing the experiments with SVM,KNN,Random Forest and Native Bayes algorithm,the performance of the training model of Bayesian network EM algorithm is verified,and the prediction recognition is accomplished by the Bayesian junction tree reasoning algorithm,which is verified through case analysis.Experimental results show that the model trained with the EM algorithm is effective for identifying honeypot.