Design And Implementation Of Intrusion Detection System For Industrial Control System Based On Snort

As the critical infrastructure of industrial production,industrial control system(ICS)is widely used in energy,chemical industry,transportation and other national pillar industries.Due to the early development of industrial control system is not connected to the internet,The design of the system and communication protocol of ICS is closed and independent,and less considers safety issues.How,as China vigorously develops information technologies such as the Industrial Internet(IT)and the Internet of Things(Io T),the number of networked exposed components of ICS is increasing year by year.In order to cope with the serious situation of ICS,intrusion detection system(IDS)is often deployed on the edge of ICS.Snort is an open source IDS with the most widely used,modular architecture and easy secondary development.And Snort is feature-based IDS,which means Snort can only identify known attacks.The communication traffic of ICS show a difference due to different industries and scenarios.This difference should be taken into account when doing intrusion detection on ICS’s communication traffic.And adjust the content of the message to be detected and its legal range value.This paper takes the Modbus TCP protocol,which is most widely used in ICS,as the research object.We study the intrusion detection problems of Modbus TCP by using two different methods,one is feature-based method,other is anomaly based method.The word done on this paper includes the following aspects.1.Starting from the feature-based detection method,we propose an intrusion detection method which combines the whitelist mechanism with the deep packet inspection(DPI)technology.The method firstly learns the captured normal communication traffic of ICS and constructs the whitelist of packets.And then it is used to filter out illegal packets.The packets that pass the whitelist detection are then classified.Different detection criteria are used for different categories of packets.2.In terms of the implementation details of the method above mentioned,and considering the difference of communication traffic in ICS at the same time,the parameterized iptables and Snort rules are presented.And then we use Modbus Poll/Slave software to build the communication environment of the Modbus master station and Modbus slave station.Experimental results show that the proposed method can filter out packets that do not meet the whitelist requirements.And it is also verified that these Snort rules can detect Modbus TCP abnormal packets that match the detection criteria.3.And then we proposed an intrusion detection method combining machine learning algorithms and Snort based on the idea of anomaly-based method.Its advantage is to identify unknown attacks.We used the Modbus communication traffic that contains real attack behaviors,and select 15 Modbus TCP protocol features,construct some datasets usable on the machine learning classification model based on the work of analysis and preprocessing of the traffic.We used five classification model to train and test on these datasets.Finally the random forest is determined as the optimal model.4.Due to Snort can’t detect unknown attacks.We designed a Snort preprocessor plugin with built-in random forest anormal traffic detection model to solve this problem.And then we recompiled and configured Snort.Experimental results show that the preprocessor can effectively detect Modbus TCP abnormal message.We extended the functionality of Snort with this approach.Finally Snort can use anomaly-based intrusion detection method to work.