Research On ICS Anomaly Detection Method Based On Mix-Order Markov Tree Model

Industrial control system is mainly used for supervision and control in various industrial production process,and is widely used in large-scale national infrastructure industries,such as energy,electricity,chemicals and sewage treatment.In recent years,with the increasing demand for remote management control,previously relatively closed and independent control systems have become more open and interconnected,which enhances the controller's ability to remotely manage while on the other hand,exposes itself under the threat of various cyber attacks.The discovery of Stuxnet virus in 2010 shows that,industrial control systems are not only vulnerable to traditional cyber attacks but also vulnerable to a new type of attack—"the semantic attacks".The traditional network intrusion detection method can only detect a single illegal data packet,but can not do anything to semantic attacks which is based on message sequence.Aiming at the shortcomings of existing anomaly detection methods in industrial control system in semantic attacks detection,this thesis presents an ICS anomaly detection method which is based on mix-order Markov tree model.The main work is as follows:(1)Based on the characteristics of periodicity and stability of industrial control system,this thesis constructs the system's normal behavior model—mix-order Markov Tree using unsupervised self-learning method.Abnormality is detected when there is a significant deviation between the tested behavior and the normal behavior model.Based on the dynamic adaptive method,this model enhances the relevance of state events,and traces the historical state of the current state from one dimension to multi-dimension when it is necessary,thereby,the first-order Markov model is extended to a mix-order Markov model.Moreover,time interval information of message sequence is introduced to the model,so that the model can detect more complex semantic attacks and the ability of anomaly detection method in semantic attack detection is improved.(2)Aiming at the problems such as excessively complex model,high false positive rate and high false negative rate in special industrial control scenarios,a number of optimization strategies are proposed:A new definition of state events combining instruction and data is proposed to extend the definition of state events;Aiming at the noise and redundant information introduced in the modeling stage,a de-noising pruning strategy is designed to simplify the model and reduce the false negative rate of the method;A weight-based abnormal alarm optimization strategy is designed,which introduce weight factors in the determination of anomalies and evaluate the risk of the anomalies prior to the alarm,so that the operator could give priority to some high risk anomalies according to the degree of risk,and the false alarm rate and false negative rate of the method are reduced.(3)A simplified water treatment system based on the OMNeT++ network simulationenvironment is constructed to verify the function of the anomaly detection method.Moreover,the data set of a real physical test bed is used to verify the accuracy of the anomaly method.The verification results show that,the proposed method not only can detect the traditional non-semantic attacks,simple semantic attacks such as Time-based and Order-based attacks,but also display more complete detection ability for various complex semantic attacks compared with the existing anomaly detection methods.And through a variety of optimization strategies,the false positive rate and false negative rate of anomaly detection method are effectively reduced,the model is simplified and the detection efficiency of the method is improved.