Research And Implementation Of Deception Defense Technology Based On Virtual PLC

Traditional industrial control systems rely on the assumption of environmental isolation to ensure their security.However,with the advent of the industrial Internet era,existing industrial control systems are facing serious security threats.Passive defense technologies such as firewalls and intrusion detection systems are powerless against zero-day attacks and highly covert APT attacks.Traditional honeypot technology,with its limited scalability and device simulation capabilities,is easily identified by attackers.To enhance the perception capability of industrial control systems against highly covert unknown threats,this paper proposes a deception defense model and implementation method based on virtualized PLC,which deploys virtualized PLC devices on a general-purpose computing platform to simulate the control protocol and control behavior of industrial control devices.By using virtualized PLC devices,potential attackers can be lured into attacking the target system.Furthermore,this paper proposes an abnormal detection method based on production data to determine whether there is any abnormal behavior in the control device.The technology proposed to this paper has been applied to actual engineering projects.The main contributions to this paper are as follows.A deception defense model based on virtualized PLC and its implementation architecture is proposed.In a typical industrial control OT network architecture,trap and detection modules are added.A virtualized PLC is used as a trap module to simulate the interaction protocol and control behavior of the control device,which can trigger potential attacked behavior of attackers.A production data anomaly detection method is designed for deception defense,which performs anomaly analysis on industrial production data to determine whether there is abnormal control behavior.This paper proposes a Hypervisor-based PLC virtualization implementation solution,which can deploy multiple control devices as deception and trap devices in an OT network on demand,based on a general computing platform and container environment.We propose a hybrid model for detecting anomalies in industrial production data based on LSTM and XGBoost.This method serves as the anomaly detection module of the deception defense model proposed to this paper and works together with the trap module to achieve active defense capability in industrial control OT networks.The proposed solution uses normal production data to train the LSTM model to learn normal behavior and generate feature vectors,while using the XGBoost model to build a classifier that marks data and trains the model to identify anomalies.The trained hybrid model is then used to detect real-time data onto the deception defense system.Prototype system development and technical validity verification.Based on generalpurpose computers and the open-source PLC software,a prototype system is implemented on the open-source GRFICS platform,and multiple attack processes are designed for the water treatment industrial control system to verify the proposed defense model in this paper.The research results provide valuable reference to the design of security protection systems for industrial control systems and offer technical support.The research results have good reference value for the design of security protection systems for industrial control systems and provide technical support.