Research And Application Of Industrial Control Networks Intrusion Prevention Svstem Based On Isolation Forest

As an emerging "battlefield" in the world,cybersecurity has been used as a keyword more and more in international news in recent years.For example,in the "US-Iraq" conflict in early 2020,Iran declared that it had received and resisted the largest cyber-attack detected in history.Recalling the famous "Zhennet virus" that attacked Iran's nuclear facilities about ten years ago,as well as many other cybersecurity incidents and cyber-monitoring scandals,it is not difficult to discover that countries around the world have gradually used the network as another battlefield beyond sea,land,air,and space.In this increasingly severe security situation,the rapid development of the Internet is also an important power and tool indispensable to improve national productivity,so it is of great significance and urgency to study network security.Industrial Control Systems(ICS,Industrial Control Systems),as the cornerstone of the country's modern production,are the objects that need to be protected.Therefore,it is very important to establish a comprehensive intrusion prevention system for ICS.This paper focuses on the research of industrial control network intrusion prevention system based on machine learning algorithms.The main work is as follows:(1)Aiming at the problems of the inflexibility of static rule detection and the high labor cost and low timeliness of expert rules in traditional intrusion detection,an unsupervised anomaly detection algorithm based on machine learning was proposed.After the system intercepts network traffic or other behavioral information data,it first performs simple and high-speed preprocessing to reduce the data to a vector form.Based on the specific data onto the vector,different trees are constructed,and these trees form a forest.The specific position of each piece of data onto the tree is calculated to obtain the abnormal score of the data.Finally,it is judged whether the tree is a piece of data based on this abnormal score.Since the proposed unsupervised machine learming algorithm training does not require prior data marking processing,the algorithm is also suitable for practical ICS system application scenarios where data collection and classification is difficult.(2)The algorithm model of the isolated forest is improved to the flow model for the environment of the industrial control system,which can cope with the real-time response of unlimited flow and simultaneous detection results.The proposed machine learning algorithm model is a forest model based on a decision tree.After completing the preliminary model establishment,the data stream can be introduced into a buffer.When the data in the buffer meets certain conditions,the entire forest is updated by modifying the tree structure;after the update operation is completed,the partial tree that is too bloated and the deviation of the detection result is relatively large will be discarded.And use the latest data to rebuild the same number of trees as the discarded ones to ensure a constant number of trees in the forest.(3)Designed and implemented an intrusion prevention system structure.The entire intrusion prevention system uses the C/S mode,and a server can monitor the security status of multiple clients at the same time.The client agent process is mainly responsible for collecting data and blocking or other processing for abnormal behavior.The collected data includes the host's network traffic information and some process behavior information.The server will analyze the security status of the client host according to the returned data.First,make a preliminary judgment based on the static rule judgment.If the judgment result is normal,enter the data into the machine learning part for further detection and analysis.All data returmed from the client will be stored in Elasticsearch for backup storage,while data related to the intrusion prevention system will be stored in the Mongo database.Besides,the intrusion system also provides a web management interface system,which provides overall management and control functions of the system and a visual display of the data.The intrusion prevention system designed and implemented in this paper is also a part of the research results of a cooperation project with a national agency.The small-scale trial deployment has played a certain role in improving the security defense level of the national power grid.