跨协议工控入侵检测系统的研究

doi:10.3778/j.issn.1002-8331.2203-0127

摘要/Abstract

摘要： 工业控制系统面临着严峻的安全威胁，基于机器学习的入侵检测技术依赖大量的标注数据，但工业控制系统标注数据匮乏且通信协议众多，不同通信协议下的数据不通用。为了解决上述问题，提出了一种时序敏感的跨协议域混淆工控入侵检测模型（timing-sensitive cross-protocol domain confusion industrial control intrusion detection model，TCPDC）。该模型利用迁移学习的域混淆技术最小化不同通信协议下流量数据的分布差异，把在旧的通信协议下学习到的知识迁移到新的通信协议下，仅利用新的通信协议下的少量未标注数据，即可构建出高准确率的入侵检测模型。除此之外，为了实现攻击数据的细粒度识别，该模型利用长短期记忆网络（long short-term memory，LSTM）算法提取流量数据的时间序列特征，以检测更加隐蔽的攻击。TCPDC在Electra数据集上评估性能，实验结果证明了迁移学习在跨协议构建入侵检测模型方面的可行性和有效性。

关键词: 迁移学习, 入侵检测, 工业控制系统, 长短期记忆网络

Abstract: Industrial control systems are faced with severe security threats. Machine learning-based intrusion detection technology relies on a large amount of labeled data. However, industrial control systems lack labeled data and have many communication protocols. Data under different communication protocols are not universal. To solve the above problems, a timing-sensitive cross-protocol domain confusion industrial control intrusion detection model（TCPDC） is proposed. The model uses the domain confusion technique of transfer learning to minimize the distribution difference of traffic data under different communication protocols, transfer the knowledge learned under the old communication protocol to the new communication protocol, and only use a small amount of unknown information under the new communication protocol. By labeling the data, a high-accuracy intrusion detection model can be constructed. In addition, in order to achieve fine-grained identification of attack data, the model uses the long short-term memory（LSTM） algorithm to extract the time-series features of traffic data to detect more stealthy attacks. TCPDC evaluates the performance on the Electra dataset, and the experimental results demonstrate the feasibility and effectiveness of transfer learning in building intrusion detection models across protocols.

Key words: transfer learning, intrusion detection, industrial control system, long short-term memory network

房国庆, 张雅娴, 于丹, 马垚, 陈永乐. 跨协议工控入侵检测系统的研究[J]. 计算机工程与应用, 2023, 59(14): 251-259.

FANG Guoqing, ZHANG Yaxian, YU Dan, MA Yao, CHEN Yongle. Research on Cross-Protocol Industrial Control Intrusion Detection System[J]. Computer Engineering and Applications, 2023, 59(14): 251-259.

参考文献

[1] 刘奇旭，陈艳辉，尼杰硕，等.基于机器学习的工业控制网络入侵检测技术综述[J].计算机研究与发展，2022，59（5）：994-1014.
LIU Qixu，CHEN Yanhui，NI Jieshuo，et al.Survey on machine learning-based anomaly detection for industrial Internet[J].Journal of Computer Research and Development，2022，59（5）：994-1014.
[2] 杨安，孙利民，王小山，等.工业控制系统入侵检测技术综述[J].计算机研究与发展，2016，53（9）：2039-2054.
YANG An，SUN Limin，WANG Xiaoshan，et al.Intrusion detection techniques for industrial control systems[J].Journal of Computer Research and Development，2016，53（9）：2039-2054.
[3] Power system dataset[EB/OL].[2022-02-27].https：//sites.google.
com/a/uah.edu/tommy-morris-uah/ics-data-sets.
[4] MORRIS T，GAO W.Industrial control system traffic data sets for intrusion detection research[C]//International Conference on Critical Infrastructure Protection.Berlin，Heidelberg：Springer，2014：65-78.
[5] GóMEZ á L P，MAIMó L F，CELDRAN A H，et al.On the generation of anomaly detection datasets in industrial control systems[J].IEEE Access，2019，7：177460-177473.
[6] Water distribution（Wadi） dataset[EB/OL].[2019-10-31].https：//itrust.sutd.edu.sg/testbeds/water-distribution-wadi/.
[7] ADEPU S，KANDASAMY N K，MATHUR A.Epic：an electric power testbed for research and training in cyber physical systems security[M]//Computer security.Cham：Springer，2018：37-52.
[8] MATHUR A P，TIPPENHAUER N O.SWaT：a water treatment testbed for research and training on ICS security[C]//2016 International Workshop on Cyber-physical Systems for Smart Water Networks（CySWater），2016：31-36.
[9] 尚文利，安攀峰，万明，等.工业控制系统入侵检测技术的研究及发展综述[J].计算机应用研究，2017，34（2）：328-333.
SHANG Wenli，AN Panfeng，WAN Ming，et al.Research and development overview of industrial intrusion detection technology in control system[J].Application Research of Computers，2017，34（2）：328-333.
[10] 余晓晖，张恒升，彭炎，等.工业互联网网络连接架构和发展趋势[J].中国工程科学，2018，20（4）：79-84.
YU Xiaohui，ZHANG Hengsheng，PENG Yan，et al.Networking architecture and development trend of industrial Internet[J].Strategic Study of CAE，2018，20（4）：79-84.
[11] TZENG E，HOFFMAN J，ZHANG N，et al.Deep domain confusion：maximizing for domain invariance[J].arXiv：1412.3474，2014.
[12] KORONIOTIS N，MOUSTAFA N，SITNIKOVA E，et al.Towards the development of realistic botnet dataset in the Internet of things for network forensic analytics：Bot-IoT dataset[J].Future Generation Computer Systems，2019，100：779-796.
[13] ABESHU A，CHILAMKURTI N.Deep learning：the frontier for distributed attack detection in fog-to-things computing[J].IEEE Communications Magazine，2018，56（2）：169-175.
[14] THAMILARASU G，CHAWLA S.Towards deep-learning-driven intrusion detection for the Internet of things[J].Sensors，2019，19（9）：1977.
[15] ROOPAK M，TIAN G Y，CHAMBERS J.Deep learning models for cyber security in IoT networks[C]//2019 IEEE 9th Annual Computing and Communication Workshop and Conference（CCWC），2019：452-457.
[16] BEKERMAN D，SHAPIRA B，ROKACH L，et al.Unknown malware detection using network traffic classification[C]//2015 IEEE Conference on Communications and Network Security（CNS），2015：134-142.
[17] GOU S，WANG Y，JIAO L，et al.Distributed transfer network learning based intrusion detection[C]//2009 IEEE International Symposium on Parallel and Distributed Processing with Applications，2009：511-515.
[18] GAO J，FAN W，JIANG J，et al.Knowledge transfer via multiple model local structure mapping[C]//Proceedings of the 14th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining，2008：283-291.
[19] SINGLA A，BERTINO E，VERMA D.Overcoming the lack of labeled data：training intrusion detection models using transfer learning[C]//2019 IEEE International Conference on Smart Computing（SMARTCOMP），2019：69-74.
[20] ZHAO J，SHETTY S，PAN J W.Feature-based transfer learning for network security[C]//2017 IEEE Military Communications Conference（MILCOM），2017：17-22.
[21] ZHAO J，SHETTY S，PAN J W，et al.Transfer learning for detecting unknown network attacks[J].EURASIP Journal on Information Security，2019，2019（1）：1-13.