Multilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data
- 一、摘要
- 二、介绍
- 三、系统建模
- (一)基于网络流量数据和主机系统数据的网络攻击检测模型
- (二)使用过程数据基于AAKR的网络攻击检测模型
- 四、结论
一、摘要
ICS网络安全当前主要基于防火墙、数据二极管和其他入侵预防方法,这可能不足以应对来自攻击者日益增长的网络威胁。为了提高ICS的网络安全性,利用网络流量数据、主机系统数据和测量的过程参数,开发了基于纵深防御概念的网络攻击检测系统。这种攻击检测系统提供了多层防御,以便在物理系统中发生不可恢复的后果之前为防御者争取宝贵的时间。在所提出的检测系统中,研究了一种自联想核回归模型来加强早期攻击检测。结果表明,这种方法可以在重大后果发生之前检测到具有物理影响的网络攻击。提出的利用网络、系统和过程数据的多层数据驱动网络攻击检测系统是保护ICS的一个有前途的解决方案。
二、介绍
混合入侵检测系统是基于特征和基于异常的检测的结合;这种方法将基于签名的方法的准确性与基于异常的系统的通用性结合起来。数据驱动的混合IDS是增强ICS网络安全和防御者态势感知的有前途的方法。
本文提出了一种利用纵深防御概念增强ICS网络安全的网络攻击检测系统。所提出的多层入侵检测系统通过结合基于特征码和基于异常的网络、主机和过程数据分析,提高了整体网络安全性。 本文的主要贡献和创新在于,它将网络流量数据、主机系统数据和处理数据集成到一个系统中,以提供多层网络检测。该系统在防火墙故障后对网络和系统数据采用有监督和无监督模型,并将工业过程数据的无监督模型作为最后一道网络攻击防线。
本文研究了k近邻(KNN)、DT、引导聚合(bagging)和RF,以利用网络和主机系统数据区分正常的操作和网络攻击场景。AAKR使用物理过程数据进行调查,以检测网络和系统数据检测未检测到的攻击场景。结果表明,这些模型能够有效地高精度地检测各种网络攻击。
三、系统建模
图1 多层网络攻击检测系统
图一中的系统分为三层,第一个防御层是传统的入侵防御层,包括防火墙、数据二极管和网关,它们已经在行业中广泛应用;第二防御层由基于网络流量和系统数据的网络攻击检测数据驱动模型组成,包括M1表示的分类模型和M2表示的大数据分析模型;第三层防御使用M3指示的经验模型来检测可能由网络攻击导致的异常操作。
(一)基于网络流量数据和主机系统数据的网络攻击检测模型
数据集共选择了142个与内存、计算机进程和网络行为相关的特征,这些特征为攻击检测提供了有用的信息。用于检测的数据集是在三种网络攻击下收集的:MITM、对工程工作站的DoS攻击,以及对国家仪器cDAQ(数据采集和控制硬件)的DoS攻击。系统受到攻击时收集的观察值标记为1,而正常情况下的观察值标记为0,表明没有网络攻击。数据集分为训练数据和测试数据,分别用于训练分类器和测试性能。
KNN、DT、bagging和RF是本研究中研究的四种分类方法,图2显示了使用这四种不同分类方法分析数据的过程。
图2 分析网络和系统数据的程序
(二)使用过程数据基于AAKR的网络攻击检测模型
AAKR是一种基于内存的非参数无监督纠错算法;预测是正常工作条件下感测数据的预期值。根据查询向量和存储向量之间的距离,将这些预测计算为历史存储向量的加权平均值,其中查询向量是评估中的观察值,存储向量是存储矩阵中保留的过去无错误操作的观察值。
四、结论
在本研究中,我们评估了四种M1入侵检测分类模型,并在M3防御层实现了一个带有剩余阈值检测的AAKR模型。利用物理试验台生成的数据对M1和M3进行检测,结果表明,所提出的网络攻击检测系统具有较高的检测精度和较宽的攻击覆盖范围。为了利用网络和主机系统数据检测未知攻击,将研究M2中的无监督大数据分析模型,以进一步增强第二道防线。
[1] Y . Ashibani and Q. H. Mahmoud, “Cyber physical systems security: Anal-
ysis, challenges and solutions,”Comput. Secur ., vol. 68, pp. 81–97, 2017.
[2] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,”IEEE Secur .
Privacy, vol. 9, no. 3, pp. 49–51, May/Jun. 2011.
[3] ICS-CERT, “Cyber-attack against ukrainian critical infrastruc-
ture,” Feb. 2016. [Online]. Available: https://ics-cert.us-cert.gov/alerts/
IR-ALERT-H-16-056-01
[4] ICS-CERT, “Hatman—Safety system targeted malware,” Mar. 2017. [On-
line]. Available: https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan-
Targeted-Malware
[5] Kaspersky Lab ICS-CERT, “Threat landscape for industrial automa-
tion systems in h2 2017,” Mar. 2018. [Online]. Available: https://ics-
cert.kaspersky.com/reports/2018/03/26/threat-landscape-for-industrial
-automation-systems-in-h2-2017/
[6] N. S. Malik, R. Collins, and M. V amburkar, “Cyber-attack, pings data
systems of at least four gas networks,” Apr. 2018. [Online]. Available:
https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-
atta ck-a-third-gas-pipeline-data-system-shuts
[7] Homeland Security Centre for the Protection of National Infras-
tructure, “Cyber security assessments of industrial control systems,”
Apr. 2011. [Online]. Available: https://www.ccn-cert.cni.es/publico/
InfraestructurasCriticaspublico/CPNI-Guia-SCI.pdf
[8] G. Loukas,Cyber-Physical Attack Steps. London, U.K.: Butterworth-
Heinemann, 2015, ch. 5, pp. 145–180.
[9] S. Han, M. Xie, H.-H. Chen, and Y . Ling, “Intrusion detection in cyber-
physical systems: Techniques and challenges,”IEEE Syst. J., vol. 8, no. 4,
pp. 1052–1062, Dec. 2014.
[10] A. L. Buczak and E. Guven, “A survey of data mining and machine
learning methods for cyber security intrusion detection,”IEEE Commun.
Surv. Tut., vol. 18, no. 2, pp. 1153–1176, Apr.–Jun. 2016.
[11] D. Y ang, A. Usynin, and J. W. Hines, “Anomaly-based intrusion detection
for SCADA systems,” inProc. 5th Nucl. Plant Instrum. Control and
Human, Mach. Interface Technol., Albuquerque, NM, Nov. 2006, pp. 12–
16.
[12] B. Jeffries, J. W. Hines, and K. C. Gross, “Behavior-based approach to
misuse detection of a simulated SCADA system,” inProc. 10th Nucl. Plant
Instrum. Control and Human, Mach. Interface Technol., San Francisco,
CA, USA, Jun. 2017, pp. 1761–1771.
[13] W. Gao and T. H. Morris, “On cyber attacks and signature based intru-
sion detection for MODBUS based industrial control systems,”J. Digit.
F orensics, Secur . Law, vol. 9, no. 1, 2014, Art. no. 3.
[14] A. Carcano, I. N. Fovino, M. Masera, and A. Trombetta, “State-based
network intrusion detection systems for SCADA protocols: A proof of
concept,” inProc. Int. Workshop Crit. Inf. Infrastructures Secur ., 2009,
pp. 138–150.
[15] H. L. Gawand, A. Bhattacharjee, and K. Roy, “Securing a cyber physical
system in nuclear power plants using least square approximation and
computational geometric approach,”Nucl. Eng. Technol., vol. 49, no. 3,
pp. 484–494, 2017.
[16] J. Li and X. Huang, “Cyber attack detection of I&C systems in NPPS based
on physical process data,” inProc. 24th Int. Conf. Nucl. Eng., Charlotte,
NC, Jun. 2016, pp. V002T07A011; 4 pages, Paper No. ICONE24-60773.
[17] J. Coble, P . Ramuhalli, L. J. Bond, J. Hines, and B. Upadhyaya, “A
review of prognostics and health management applications in nuclear
power plants,”Int. J. Prognostics Health Manage., vol. 6, 2015, Art.
no. 016.
[18] H. Holm, M. Karresand, A. Vidström, and E. Westring, “A survey of
industrial control system testbeds,” inSecure IT Systems. N e w Y o r k , N Y ,
USA: Springer, 2015, pp. 11–26.
[19] F. Zhang, J. W. Hines, and J. B. Coble, “Industrial control system testbed
for cybersecurity research with industrial process data,” inProc. Int. Congr .
Adv. Nucl. Power Plants, Charlotte, NC, Apr. 2018, pp. 279–284.
[20] B. K. Samanthula, Y . Elmehdwi, and W. Jiang, “K-nearest neighbor clas-
sificationoversemanticallysecureencryptedrelationaldata,”IEEE Trans.
Knowl. Data Eng., vol. 27, no. 5, pp. 1261–1273, May 2015.
[21] Y . Zhanget al., “Comparison of machine learning methods for station-
ary wavelet entropy-based multiple sclerosis detection: Decision tree, k-
nearest neighbors, and support vector machine,”Simulation, vol. 92, no. 9,
pp. 861–871, 2016.
[22] B. Wang and J. Pineau, “Online bagging and boosting for imbalanced data
streams,”IEEE Trans. Knowl. Data Eng., vol. 28, no. 12, pp. 3353–3366,
Dec. 2016.
[23] M. Belgiu and L. Dr˘agut¸, “Random forest in remote sensing: A review
of applications and future directions,”ISPRS J. Photogrammetry Remote
Sens., vol. 114, pp. 24–31, 2016.
[24] F. Zhang, S. Boring, J. W. Hines, J. B. Coble, and K. C. Gross, “Combi-
nation of unquantization technique and empirical modeling for industrial
applications,” inProc. Amer . Nucl. Soc. Winter Meeting, Washington,
D.C., USA, Nov. 2017, pp. 449–452.
[25] L. Allen, T. Heriyanto, and S. Ali,Kali Linux–Assuring Security by Pen-
etration Testing. Birmingham, U.K.: Packt Publishing Ltd., 2014.
[26] M. Conti, N. Dragoni, and V . Lesyk, “A survey of man in the middle
attacks,”IEEE Commun. Surv. Tut., vol. 18, no. 3, pp. 2027–2051, Jul.–
Sep. 2016.
[27] K. K. Oo, K. Z. Y e, H. Tun, K. Z. Lin, and E. Portnov, “Enhancement
of preventing application layer based on DDOS attacks by using hidden
semi-Markov model,” inGenetic and Evolutionary Computing. C h a m ,
Switzerland: Springer, 2016, pp. 125–135.
