Research On DDoS Attack Suppression In ICS Environment

With the development of Internet of things and industrial big data technology,the Industrial Control System(ICS)has established more and more connections with the Internet.The relatively independent ICS has become more and more open,which leads to a hidden danger for its safety.In recent years,ICS security incidents have happened frequently.In all attacks,Distributed Denial of Service(DDoS)seriously destroys the continuity and availability of ICS,which poses a great threat to the safety of ICS.At present,the research of DDoS attack in the Internet environment has made some achievements,but the difference between IT system and ICS brings about different security requirements.Therefore,the research against DDoS attack in the Internet environment can't be directly introduced into ICS.Consequently,combining with the ICS's characteristics including high availability,low bandwidth and low delay,through the characteristics' analysis of DDoS flows,we puts forward Compare and RDF-SVM algorithms to identify DDoS attack traffic,and finally designed a comprehensive defense system.The experimental result shows that the proposed system meets the security requirements of the ICS when suppressing DDoS attack and plays an important role in guaranteeing the ICS security.The main contents of this paper are as follows:(1)Make introduction of the DDoS attack defense technology,which includes two aspects:On the one hand,the related technologies and research status of DDoS attack defense in the Internet environment are introduced.On the other hand,the defense technology and research progress of DDoS attack in the ICS environment are introduced.(2)The Compare algorithm is proposed to detect DDoS attack,and the flow recognition is based on the two indexes,including the host connection request frequency and the similarity degree of flows.The identification technology firstly analyzes the characteristics of DDoS attack flows and normal flows,and proposes Compare algorithm to identify random and real address DDoS attack based on the two indexes.The Compare algorithm pairwise contrasting with flows is applicable to the ICS with relatively less equipment,moreover,the recognition rate of Compare algorithm is verified by experiments.(3)The RDF-SVM algorithm is proposed to identify the DDoS attack.According to the flow analysis and statistics,the 14 characteristic parameters which are combined with the characteristics of the ICS are extracted.The proposed RDF-SVM algorithm sorts feature weights,rescreens selected characteristics in order to prevent deleting them mistakenly,and finally obtains the feature subset for classification.At last,the experiment is designed to evaluate the proposed RDF-SVM algorithm,and the accuracy,recall and precision are selected as the evaluation indexes.(4)Design and implement a comprehensive defense DDoS attack system,which combines the advantages of Compare algorithm with RDF-SVM algorithm's,and reduces the impact of erroneous judgement on the ICS business.Considering recognition accuracy and time delay,the experiments are carried out to verify the ICS security requirements of high real-time,low bandwidth and low delay.