摘要
攻击者溯源对于维护工业控制系统(Industrial Control System,ICS)安全十分重要。通过部署分布式工控蜜罐,收集工控恶意流量,提出基于CNN-LSTM的工控协议同源攻击检测方法,运用CNN和基于注意力机制的LSTM对数据包和流量特征进行学习,根据BP反向传播算法对模型进行迭代寻优分类。模型相比较其他方法,具有更高的准确率和F值,对处理离线工控蜜罐数据具有相当的优势,准确率达到93.7%;找到包括Shodan、Cencys这类知名设备搜索引擎在内的10个组织,涉及到的IP节点超过200个。
Attacker traceback is very important to maintain the security of industrial control system(ICS).By deploying distributed ICS honeypots and collecting ICS malicious traffic,we propose an ICS protocol homologous attack detection method based on CNN-LSTM.The CNN and attention-based LSTM were used to learn packet and traffic characteristics.The model was iteratively optimized according to BP back propagation algorithm.Compared with other methods,the model has higher accuracy and F1 value,and has a considerable advantage in processing off-line ICS honeypot data,with an accuracy of 93.7%.We found 10 groups including Shodan,cencys and other well-known equipment search engines,involving more than 200 IP nodes.
作者
禹宁
竹瑞博
狄婷
任晓刚
王建华
Yu Ning;Zhu Ruibo;Di Ting;Ren Xiaogang;Wang Jianhua(Information and Telecommunication Company,State Grid Shanxi Electric Power Corporation,Taiyuan 030021,Shanxi,China;Shanxi Liantuo Technology Company Limited,Taiyuan 030021,Shanxi,China;College of Information and Computer,Taiyuan University of Technology,Taiyuan 030024,Shanxi,China)
出处
《计算机应用与软件》
北大核心
2023年第5期331-337,共7页
Computer Applications and Software
基金
山西省重点研发项目(201903D121121)
山西省自然科学基金项目(201701D111002)。
