Research On Industrial Control Network Security Based On Improved Device Fingerprint Method

With the development of modern industrial technology,industrial control systems have become an important part of the production and manufacturing industry.However,the corresponding security issues have become increasingly complex and severe.In recent years,there have been incidents of malicious software attacking industrial control networks around the world.These events have caused significant security risks and property losses,as well as seriously affecting the daily lives of people and damaging the interests of countries and enterprises.Due to the differences in protocols applied by different types,brands,and models of devices in industrial control networks,the work of information security protection for industrial control networks has become extremely complex.Device fingerprinting technology has been developed and applied in response to this situation,which can effectively solve the verification problem of industrial control devices in the network space.The workflow of device fingerprinting technology mainly consists of the following parts:first,device information needs to be collected,and key features from the information are selected,compiled into a set,and encrypted to generate "fingerprint" information.These device fingerprints can uniquely identify target devices and play an important role in the verification process.Therefore,device fingerprinting technology can effectively prevent common attacks in industrial control networks.However,there are also some problems with current device fingerprinting technology,such as the tedious and time-consuming process of extracting device information,insufficiently concise fingerprint feature sets,and the possibility of conflicts in generated device fingerprints due to many similar key information in devices of the same model.Therefore,this paper addresses the problems existing in device fingerprinting technology in industrial control network environments by conducting the following work: first,in the device fingerprint generation stage,industrial control network protocol messages are used as the dataset,and features are extracted through the DOM tree to obtain fingerprint information in the form of {device type,device brand,device model},which is used to generate device fingerprints.Second,in the fingerprint verification stage,since both protocol messages and device fingerprints can be regarded as short text data,a short text clustering algorithm is used to cluster data with similar features into clusters,thereby achieving the function of device fingerprint verification for protocol messages corresponding to devices.Finally,for feature sets that fail the previous verification,it is generally believed that conflicts in generated fingerprints may occur due to the presence of multiple identical branded and modeled industrial control devices in the same environment.To address this issue,this paper introduces device firmware version information as a new feature,which is used to generate new fingerprints together with the simplified invalid fingerprints.This article aims to improve the problems that exist in the generation and verification stages of device fingerprint technology.In the fingerprint generation stage,the best similarity threshold of 0.99 is achieved,resulting in a balanced recognition rate for both brand information(precision=0.877,recall=0.895)and model information(precision=0.853,recall=0.861).In the fingerprint verification stage,the error rate is 2.41%,which is significantly improved compared to the previous improvement plan of3.79%.The invalid fingerprints are corrected,resulting in a final reduction of the fingerprint verification error rate of the experimental dataset to2.11%.