摘要
随着科技的发展,在智能自动化制造中工业控制系统逐渐被接入互联网,而当前互联网上存在着大量的攻击,直接影响着工业控制系统的安全,工控系统面临的安全形势也越来越严重。因此,工业控制系统与关键基础设施的网络安全受到高度的关注,为有效抵御恶意软件对工业控制系统的攻击,网络入侵检测系统是一个常用的措施,其分为两大主要的策略,一种策略是采用统计分析与机器学习的异常监测,另一种策略是采用攻击特征或规则进行比对的特征监测。本文提出一种监测工业控制系统网络出现的异常封包的技术,该技术的核心技术在于寻找TCP和UDP协议数据部分的规律性,并构造一个正常行为模型。通过工业控制系统网络内布置的蜜罐技术,系统模型还可以额外产出特征,协助过滤已知的攻击。该方法适用于建立在TCP与UDP之上的工业控制系统协议,并将检测模型嵌入到工业防火墙中,实现对Modbus/TCP与BACnet/IP异常报文检测。
With the development of science and technology, industrial control systems are gradually con-nected to the Internet in intelligent automated manufacturing, and there are a large number of at-tacks on the Internet, which directly affect the safety of industrial control systems, and the security situation facing industrial control systems is becoming more and more serious. The network security of industrial control systems and critical infrastructure has been highly valued in recent years. In order to resist malicious software attacks against industrial control systems, network in-trusion detection systems are a commonly used method, which is divided into two main strategies. One kind of anomaly detection uses statistical analysis and machine learning, and the other is misuse detection that uses attack characteristics or rules to compare. A technology for detecting abnormal packets in the industrial control system network is proposed in this paper. The core concept of the technology is to find the regularity of the TCP and UDP protocol payloads, and con-struct a normal behavior model. Through the honeypot is arranged in the industrial control system network, the system model can also generate additional features to help filter known attacks. Our method is suitable for industrial control system protocols built on TCP and UDP, and the detection model is embedded in the industrial firewall to realize the detection of Modbus/TCP and BACnet/IP abnormal messages.
出处
《软件工程与应用》
2020年第6期497-506,共10页
Software Engineering and Applications
