工业控制系统场景指纹及异常检测 |
彭勇1,2, 向憧2, 张淼1, 陈冬青2, 高海辉2, 谢丰2, 戴忠华2 |
1. 北京邮电大学 信息安全中心, 北京 100876; 2. 中国信息安全测评中心, 北京 100085 |
Scenario fingerprint of an industrial control system and abnormally detection |
PENG Yong1,2, XIANG Chong2, ZHANG Miao1, CHEN Dongqing2, GAO Haihui2, XIE Feng2, DAI Zhonghua2 |
1. Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China; 2. China Information Technology Security Evaluation Center, Beijing 100085, China |
摘要:
| |||
摘要工业控制系统(ICS)是监测和控制电力、水务、石油天然气、化工、交通运输、关键制造等国家关键基础设施行业物理过程运行的信息物理系统(CPS)。基于ICS系统中控制通信数据流的持续性和稳定性, 该文提出了从ICS系统工业控制协议交互模式中提取系统级行为特征来作为ICS场景指纹的创新思路和方法。ICS场景指纹不仅能用于识别特定ICS系统, 而且还能用于建立ICS系统正常行为基准并进一步用于识别系统的异常行为。该文构建了采用真实工控设备和软件以及仿真物理过程的实验系统并进行了相关实验验证测试。实验结果表明, ICS场景指纹是ICS系统安全研究方面的一种非常有前景的方法。 | |||
关键词 :工业控制系统,信息物理系统,场景指纹,异常检测 | |||
Abstract:Industrial control systems (ICSs) are cyber-physical systems (CPSs) which supervise and control physical processes in critical infrastructure industries such as electric power, water treatment, oil & natural gas exploration, transportation, and chemical industry. Based on the observation of ICS'stable and persistent communication data flow control patterns, a concept and a methodology of ICS scenario fingerprinting were proposed which analyze industrial control protocol interactive behavior to represent ICS system-level normal behavior characteristics. ICS scenario fingerprint can identify unique ICS installation, while being used as a more generalized method to establish ICS systems'behavior benchmark and further being used to identify ICS systems'abnormal behavior. Experiments were made to validate the proposed viewpoint, which use real equipment for ICS cyber domain and use simulation for ICS physical domain. Experimental results demonstrate that ICS scenario fingerprinting technique provides ICS security research with a promising method. | |||
Key words:industrial control system (ICS)cyber-physical system (CPS)scenario fingerprintabnormally detection | |||
收稿日期: 2014-10-28 出版日期: 2016-01-29 | |||
|
引用本文: |
彭勇, 向憧, 张淼, 陈冬青, 高海辉, 谢丰, 戴忠华. 工业控制系统场景指纹及异常检测[J]. 清华大学学报(自然科学版), 2016, 56(1): 14-21. PENG Yong, XIANG Chong, ZHANG Miao, CHEN Dongqing, GAO Haihui, XIE Feng, DAI Zhonghua. Scenario fingerprint of an industrial control system and abnormally detection. Journal of Tsinghua University(Science and Technology), 2016, 56(1): 14-21. |
链接本文: |
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2016.23.013或 http://jst.tsinghuajournals.com/CN/Y2016/V56/I1/14 |
图表:
图1 工业控制系统典型体系结构图 |
图2 工控CSTR 场景实验拓扑图 |
图3 CSTR 模型 |
图4 工控系统场景指纹获取流程 |
图5 获取的网络流量PCAP文件 |
图6 HMI和PLC之间的TCP长连接 |
表1 不同数量级的交互时差 |
图7 不同时间尺度下的包向量数量 |
表2 交易模式统计 |
图8 CSTR 场景交易模式 |
图9 ISO-on-TCP协议数据包 |
图10 PLCScan扫描攻击数据流 |
参考文献:
[1] Stouffer K, Falco J, Scarfone K. Guide to Industrial Control Systems (ICS) Security, NIST: special publication 800-82 [R]. 2011. [2] 彭勇, 江常青, 谢丰, 等. 工业控制系统信息安全研究进展 [J]. 清华大学学报: 自然科学版, 2012, 52(10): 1396-1408. PENG Yong, JIANG Changqing, XIE Feng, et al. Industrial control system cybersecurity research [J]. Journal of Tsinghua University: Sci & Technol, 2012, 52(10): 1396-1408. (in Chinese). [3] Falliere N, Murchu L O, Chien E. W32.Stuxnet dossier, Symantec white paper [R]. 2010. [4] Bencsáth B, Pék G, Buttyán L, et al. Duqu: A Stuxnet-like malware found in the wild[R/OL]. (2011-10). http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf. [5] sKyWIper Analysis Team. sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks[R/OL]. (2012-05). http://www.crysys.hu/skywiper/skywiper.pdf. [6] Caselli M, Hadiosmanovi D, Zambon E, et al. On the feasibility of device fingerprinting in industrial control systems [C]//8th International Workshop on Critical Information Infrastructures Security, CRITIS. 2013: 155-166. [7] Cheminod M, Durante L, Valenzano A. Review of security issues in industrial networks [J]. IEEE Transactions on Industrial Informatics, 2013, 9(1): 277-293. [8] Barbosa R R R, Sadre R, Pras A. A first look into SCADA network traffic [C]//Proceedings of 2012 IEEE Network Operations and Management Symposium, NOMS. 2012. [9] Pleijsier E. Towards anomaly detection in SCADA networks using connection patterns [C]//18th Twente Student Conference on IT. 2013. [10] Crotti M, Dusi M, Gringoli F, et al. Traffic classification through simple statistical fingerprinting [J]. SIGCOMM Comput Commun Rev, 2007, 37(1): 5-16. [11] Garitano I, Siaterlis C, Genge B, et al. A method to construct network traffic models for process control systems [C]//Proceedings of 2012 IEEE 17th International Conference on Emerging Technologies and Factory Automation, ETFA. 2012. [12] Cheung S, Dutertre B, Fong M, et al. Using model-based intrusion detection for SCADA networks [C]//SCADA Security Scientific Symposium. 2007. [13] Goldenberg N, Wool A. Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems [J]. International Journal of Critical Infrastructure Protection, 2013, 6(2): 63-75. [14] Morris T, Vaughn R, Dandass Y. A Retrofit network intrusion detection system for MODBUS RTU and ASCII industrial control systems [C]//Proceedings of the 2012 45th Hawaii International Conference on System Sciences. 2012. [15] Barbosa R R R, Sadre R, Pras A. Flow whitelisting in SCADA networks [J]. International Journal of Critical Infrastructure Protection, 2013, 6(3-4): 150-158. [16] ANSI/ISA-99.01.01-2007. Security for industrial automation and control systems: Terminology, concepts and models [R]. 2007. [17] IEC/TS 62443-1. Industrial communication networks- Network and system security-Part 1-1: Terminology, concepts and models [R]. 2009. |
相关文章:
|