Sequence attack detection method and device

Abstract

The invention provides a detecting party and a device of a sequence attack, wherein the method comprises the following steps of: acquiring data in an industrial control system in real time; Whether the observed quantity is abnormal or not is judged according to the observed quantity change information of the operation interval for the observed quantity obtained after the first operation instruction is obtained. For an operation instruction obtained after the first operation instruction is obtained, obtaining a history operation instruction sequence of a certain length, calculating a jump probability of jumping from the history operation instruction sequence to the current operation instruction according to the detection model, judging whether the operation instruction is abnormal accordingto the jump probability, and detecting whether the observation quantity change information when the operation instruction is executed is abnormal. The embodiment of the invention effectively solves the problems that the operation sequence cannot be detected and the detection failure is caused by the false control flow data, improves the accuracy of the sequence attack detection, and realizes theintrusion detection of the whole operation flow.

Description

technical field [0001] The present invention relates to the technical field of intrusion detection, and more specifically, to a method and device for detecting sequence attacks. Background technique [0002] Industrial control system (industrial control system, ICS) is a general term for a type of control system used in industrial production, which includes supervisory control and data acquisition system (supervisory control and data acquisition, SCADA), distributed control system and other common in industry Small control systems (such as programmable logic controllers) for departments and critical infrastructure, etc. ICS is widely used in all walks of life in society, including industrial production enterprises such as machinery manufacturing, petroleum and petrochemical, as well as infrastructure such as sewage treatment and nuclear power systems. At present, attackers such as internal malicious personnel, hostile enterprises, and state-level organizations are increasin...

AI Technical Summary

Problems solved by technology

Second, most of the existing detection algorithms adopt the event-driven mode, which can only detect the system state at the moment of operation execution, and cannot identify the abnormal system state caused by operation delay

Sequence attacks can delay and block issued operating instructions, affect the high real-time performance of ICS, and cause system abnormalities

For example delaying the command to open a reservoir valve, causing the water level to overflow

Third, there are issues with data integrity

ICS did not consider security at the beginning of its design, and it is closely related to the Internet. Therefore, attackers can forge false operation sequences by injecting, blocking, and tampering with operation commands, which will cause false negatives in the detection algorithm and cause the detection algorithm to fail.

Images