工业控制系统高隐蔽性数据攻击防御方法研究

Defense Research of High-Hidden Data Attack in Industry Control System

工业控制系统(Industrial Control System,ICS)是工业生产过程中的关键部分,攻击者发起同时攻击多台设备的数据,使系统更加紊乱。针对ICS中存在的数据攻击,文章改进基于过程感知的隐蔽性攻击检测(Process-Aware Stealthy-Attack Detection,PASAD)算法,提出适用于多变量环境的基于鲁棒主成分分析法和过程感知的隐蔽性攻击检测(Robust Principal Component Analysis and Process-Aware Stealthy-Attack Detection,RPCA-PASAD)算法。首先,文章利用皮尔逊相关系数将强相关性的数据划分为同一个集群,并将异常数据进行放大,通过RPCA对数据进行降维和去噪,将去噪后的数据嵌入汉克尔矩阵;然后,文章利用投影矩阵分析去噪后的数据间的内在联系,获得系统稳定状态数据的中心;最后,文章采用最小二乘法对数据进行量化获取判别数据是否异常的阈值。对田纳西-伊斯曼(Tenhessee-Eastman,TE)过程模型和水处理模型(Secure Water Treatment,SWaT)进行了仿真测试,实验结果表明,文章所提检测算法适用于多变量数据攻击的检测环境,对隐蔽性数据攻击检测实时性较强,误报率较低,可以有效地部署在数据采集与监视控制(Supervisory Control and Data Acquisition,SCADA)系统主机和可编程逻辑控制器(Programmable Logic Controller,PLC)中,对实际生产生活中减少ICS的损失具有重要意义。

Industrial control systems(ICS) is the key infrastructure in the industrial production process. Attackers attack multiple devices at the same time. This kind of data attack can aggravate the disorder of the system. In view of the data attacks in industrial control systems, this paper improved the process-aware stealthy-attack detection mechanism(PASAD),and proposed a robust principal component analysis and process-aware hidden attack detection algorithm(RPCA-PASAD) suitable for multivariate environments. Firstly, this paper used pearson correlation coefficient to divide the strongly correlated data into the same cluster, and magnifies the abnormal data. In this paper, RPCA was used to reduce and de-noise the data,and the de-noised data was embedded into the Hankel matrix. Secondly, this paper used the properties of the projection matrix to analyze the internal relationship between the denoised data to obtain the center of the system’s steady state data. At last, this paper used the least squares method to quantify the data and obtain the threshold for judging whether the data was abnormal.Simulation tests are carried out with the tennessee eastman(TE) process model and the secure water treatment(SWaT) model. The experimental results show that the detection algorithm in this paper is suitable for multivariate malicious data attack detection environment. The impact of the results has a strong real-time detection of hidden data attacks and a low false alarm rate, and can be efficiently deployed in the supervisory control and data acquisition(SCADA) host and programmable logic controller(PLC). It is of great significance for industrial control systems to reduce losses in production and life.