Research On Intrusion Detection Method Of Industrial Control System Based On Hidden Semi-Markov Model

With the rapid development of Internet technology,more and more industrial control system(ICS)equipment through the Internet for industrial data collection,transmission,storage and processing.ICS changed from a simple closed system to a networked and complicated open system.The vulnerability of traditional ICS and the lack of security protection measures,coupled with the integration of Internet information technology,further aggravate the security problem of industrial control network.As a kind of information security technology,intrusion detection technology can real-time monitor and sense industrial control network anomalies,which is the research hotspot of ICS security protection.The existing ICS intrusion detection technology mainly aimed at the attacks below the application layer,and can not fully detect the anomalies of the application layer protocol content.Therefore,by analyzing the characteristics of industrial control system and application layer attack,this thesis proposed an application layer intrusion detection method using a phase-aware hidden semi-Markov Model(p HSMM).In addition,considered data security and privacy issues during model training,this thesis proposed an ICS intrusion detection system based on federated learning.The main contents of the thesis are as follows :Firstly,for industrial Internet application layer attacks,an ICS intrusion detection method based on p HSMM is proposed which includes two stages: model training and anomaly detection.In the model training stage,the p HSMM model is used to model the normal application layer payload of industrial control protocol packets.By describing the transition law between fields and the evolution law between the phases inside the fields,the macro frame of the packet format and the micro structure of the packet field are obtained automatically.In the anomaly detection stage,an anomaly detection method based on the similarity of the data packet context is proposed.The likelihood probability of packets is obtained by trained p HSMM,so as to infer the packet type and the contour characteristics of normal industrial control protocol packets.Furthermore,the probabilistic suffix tree model was constructed by using packet type labels as time series to analyze the similarity of context.And then detect anomalies by comparing the contextual similarity between the new data and the normal data.Multiple public industrial control protocol datasets are used to verify the effectiveness of the method,and the results show that the proposed intrusion detection method can accurately detect application layer anomalies.Secondly,to protect the privacy and security of industrial user data,this thesis proposed an ICS intrusion detection method based on federated learning.Using the framework of federated learning to learn the proposed p HSMM in a distributed manner,the datasets of each participant is kept locally to update the p HSMM,and the updated parameters of the local model are uploaded to the central server for aggregation to realize the multi-party collaborative training model.The experimental results show that compared with traditional data-centralization training methods,the accuracy of the model is basically unchanged,and the privacy and security of the data of all parties are guaranteed.