| With the development of information technology and functional requirements,the industrial control system is more and more connected with the enterprise network and the Internet,which forms an open network environment.The development of industrial control network has led to the increase of system security risk and the threat of invasion,the network security issues are also more prominent.Due to the particularity of the industrial control network security requirements,the traditional IT system information security technology can not be applied directly.In this paper,the intrusion detection technology of industrial control system is researched,according to the requirement of industrial control network security,the abnormal behavior detection model based on weighted support vector machine is established to improve the performance of attacking operation.The thesis regards the Modbus/TCP industrial control network as the object of research,firstly,the security of Modbus / TCP communication protocol and the special requirements of industrial network security are analyzed,and according to the characteristics of industrial communication behavior and the communication protocol specification,an intrusion detection feature extraction method based on abnormal behavior operation mode is proposed,including the characteristics of the direct selection protocol data and the structure of the continuous flow data which reflect the difference of the operation mode.The characteristics of flow data extracted by this method can be fully applied to the detection of communication behavior,however,there may be redundant detection feature,because the redundant traffic data information not only affects the real-time performance of industrial control network communication,but also reduces the detection rate of abnormal behavior.In order to remove the unwanted and disturbing information,the attribute reduction algorithm of rough set theory(RST)is used to reduce detection feature,and to reduce the complexity of intrusion detection model and detection time,improve the practical ability of intrusion detection system.The normal samples are far more than the abnormal sample in industrial control network,and the traditional support vector machine algorithm can not solve the difference between the training data samples,making the classification error rate tends to small sample type data,that is,the small sample classification of data classification error rate is high.In this paper,a weighted support vector machine(SVM)algorithm is used to establish the detection model of communication behavior,the weight of the sample type and the sample data are used to reduce the effect of different samples on the performance of SVM and improve the detection rate of actual communication behavior.In order to solve the problem of long training time and low detection rate,a modified PSO algorithm is used to optimize the model parameters.By adjusting the inertia weight,the global optimality and the convergence rate of PSO are improved,the parameter optimization of detection model not only improves the detection rate of communication behavior,but also reduces the false positive rate and false negative rate.Furthermore,it enhances the security defense capability of the system to meet the requirements of intrusion detection efficiency and real-time in industrial network.Based on the analysis of the Modbus/TCP industrial control network security and the establishment of the intrusion detection model,the actual industrial control network system environment is built to verify and analyze the proposed method.The training and testing data set of the intrusion detection model is established by extracting the traffic data,and the simulation experiment is carried out.The results show that the intrusion detection model based on weighted support vector machine(SVM)can effectively improve the ability to detect abnormal attack behavior,and is of great significance to enhance the security of industrial control network. |
PDF Full Text Request