Research On Anomaly Detection Method Based On Simulation Modeling

With the development of industrial control system(ICS) to digitizing, networking, and machine self-organizing, production efficiency increases, but more and more security risks and vulnerabilities have been exposed. Especially fieldbus network layer, which works as an important control execution in industrial control system, lacks effective methods for intrusion detection. At present, intrusion detection method based on fieldbus network layer functions by modeling network flow, analyzing data package characteristic and device feature. There exist problems of poor generality, high false-positive rate, and unable to detect unknown anomaly.Accordingly, this paper proposed an industrial control system anomaly detection method based on ICS simulation modeling. ICS simulation modeling is classified by fieldbus device types, including controller modeling and controlled object modeling. Controller modeling is designed for preventing control program including its storage data from being tampered or destroyed. Controlled object modeling is designed for ensuring that the system input got by controller is credible. According to features of these two types of modeling, this paper proposed relevant anomaly detection method. The mainly research result is as follows:Firstly, based on summarizing relative research field literature, this paper particularly analyzed the fragility of industrial control system, and did specific research on the problem of controller logic being easy to tamper with and unable to ensure data credibility. This paper presented the ideas of simulation modeling according to controller operating principle, and introduced the classic system identification and analyzing methods of control system into controlled object modeling.Secondly, with the help of analyzing PLC operating principle, this paper designed a controller simulating model following the PLC principle, and discussed its system architecture as well as deployment mode. Thereafter, this paper introduced the controller simulation process in detail, including morphological analysis, grammatical analysis, intermediate code generation, etc. In the end, it combined the model controller established, presented relevant anomaly detection system, and introduced anomaly detection principle and methods.Thirdly, this paper imported system identification modeling method in order to solve the problem of controlled object modeling. By data preprocessing, we wiped off DC component and high-frequency noise of modeling input data. It is generally accepted that system identification modeling input should be stationary data with DC component eliminated, therefore modeling process firstly took advantage of DC component modeling and then got rid of data DC component. Afterwards, this paper presented parameter order criterion, parameter identifying process, modeling selection, and modeling verification in system identification method. Finally according to discrepancy series’ statistical property identified by the system, we presented an anomaly detecting method on the basis of db6 wavelet-decomposition, and simulated a complete modeling process through examples.Lastly, this paper combined controller modeling and controlled object modeling to generate the fieldbus network layer modeling method, and imitated the principle of flume level controlling system in industrial control system to set up the simulation experiment environment. By analyzing the presented attacking method and principle aiming at fieldbus network layer, we classified and summarized the threats that fieldbus network confronted with. According to classification results, this paper simulated three types of attacking, and tested by anomaly detecting method proposed before. The results indicated that the anomaly detecting method proposed by this paper is capable of discovering all kinds of attacking behavior, and detecting unknown attacking behavior of similar principle.