Intelligent Network Traffic Anomaly Analysis And Dynamic Security Strategy For Industrial System

Critical infrastructures such as electricity,energy,refining and transportation are crucial for a nation’s stable operations and should be treated as the top priority of the national security.Critical industrial infrastructures are currently facing increasing cyberspace threats in their underlying information and communication systems,causing economic loss and irreversible damage to the whole society.To this end,this dissertation is developed to address the network traffic anomalous situation analysis and dynamic security strategy to mitigate the potential risk caused by cybersecurity threats for industrial systems.The main techniques utilized in this dissertation are network traffic analysis,and conduct the research mainly in four aspects:industrial network traffic modeling,industrial network traffic anomaly detection,industrial network quantified security assessment and industrial network defense resource allocation.The main contribution of this dissertation can be summarized as follows:(1)The intruders’ attack surface of the substation communication network(SCN)and the typical attack path of the industrial control system(ICS)network are proposed,and the characteristics of the industrial network traffic are summarized.By investigating real industrial network security events and related reports,referring to the ATT&CK attack chain analysis method,and combining the architectures of these two typical industrial networks to verify the vulnerabilities of industrial networks under advanced cyberspace threats;the characteristics of industrial network traffic are further summarized based on real industrial network traffics.(2)Four customized models are proposed for characterizing the self-similarity,periodicity,big data traits and parallel traits of industrial networks and further identify normal traffic patterns.The models are designed for different working conditions,security requirements,modeling purposes,and environmental constraints of industrial network.The multi-scale and multi-granularity threshold model of industrial network traffic is established by using an algorithm that focuses on its self-similarity.A dynamic online anomaly detection model for industrial network traffic with low algorithm complexity is developed by using an algorithm that focuses on its periodicity and dynamic characteristics.An offline forecasting model for industrial network background traffic with large-capacity and massive data is established by using an algorithm that focuses on the its big data characteristics.Distributed anomaly detection of industrial network traffics is proposed by using an algorithm that focuses on its parallel traits for large-scale communication topology and multiple contained devices of industrial network.(3)An hybrid anomaly detection method for industrial network traffic based on the combination of statistics and machine learning is proposed.On the basis of the operation of the dynamic online detection model of industrial network traffic,a trigger mechanism is designed with the alliance of the machine learning based offline background traffic model.The cyber-attacks and network anomalies can be effectively detected with the low false omission rate since the detectionp erformance is improved by adopting the online triggering architecture.(4)A multi-scale,multi-granularity cyber situational quantitative mode for industrial network traffic is proposed.The anomalous situation is analyzed according to the deviation between the real-time traffic and the existing industrial network traffic thresholds.The industrial network security risk is quantitatively evaluated with the introduction of the protocol parameters and topology parameters,meanwhile,dynamic network condition evaluation,the most affected protocol and corresponding risks of contained devices are provided(5)An optimal defense resource allocation strategy based on distributed network traffic anomaly detection is proposed.The industrial network is divided into multiple security zones with quantitative information parameters of the every included devices according to the typical architectures of the industrial network.The statistical-based distributed network traffic detection model is used to dynamically characterize the abnormal deviation and further outline the attack path.A multi-objective optimization algorithm is designed with the consideration of the critical assets in attack path and the trade-off among vulnerability,cost,and criticality.The optimal defense resource allocation strategies under different defense resource availabilities are selected.The anomalous situation analysis and dynamic security strategy proposed in this dissertation are expected to improve the security of industrial networks and handle the existing challenges in industrial network traffic analysis.