本文選題：工業(yè)控制網(wǎng)絡(luò) + 訪問控制��； 參考：《電子科技大學(xué)》2016年碩士論文

【摘要】：近年來,針對工業(yè)控制網(wǎng)絡(luò)的攻擊事件頻繁發(fā)生,其嚴(yán)重威脅到國家和重要生產(chǎn)部門的安全以及造成了重大的經(jīng)濟(jì)損失。最典型的是“震網(wǎng)”病毒攻擊伊朗核設(shè)備的事件。由于工業(yè)控制網(wǎng)絡(luò)在設(shè)計之初被應(yīng)用于封閉的網(wǎng)絡(luò)環(huán)境中,并未周全的考慮信息安全問題,使得工業(yè)控制網(wǎng)絡(luò)的缺陷完全暴露在外,讓入侵者有機(jī)可乘,從而發(fā)動各種攻擊。鑒于此,本文通過設(shè)計針對各類攻擊的安全方案來實現(xiàn)對工業(yè)控制網(wǎng)絡(luò)信息安全的防護(hù),主要工作為:1、研究了工業(yè)控制網(wǎng)絡(luò)的結(jié)構(gòu)及其結(jié)構(gòu)特點(diǎn)。分析了工業(yè)控制網(wǎng)絡(luò)的脆弱性,由此提出了工業(yè)控制網(wǎng)絡(luò)防御方案。并著重對總方案中的第二層次防御進(jìn)行研究,設(shè)計了針對基于惡意數(shù)據(jù)包的攻擊、欺騙性攻擊以及異常流量攻擊等的攻擊防御方案。2、針對基于惡意數(shù)據(jù)包的攻擊、欺騙性攻擊,設(shè)計了訪問控制防御模型。根據(jù)訪問控制原理,設(shè)計了訪問控制防御模型總框架,其包括了數(shù)據(jù)信息提取和安全策略兩大部分。重點(diǎn)設(shè)計了安全域、白名單以及針對欺騙性攻擊和syn flood攻擊的安全策略。在linux平臺的netfilter/iptables框架下實現(xiàn)了上述安全策略,并進(jìn)行測試。3、針對工業(yè)控制網(wǎng)絡(luò)的異常流量攻擊,設(shè)計了基于多分類支持向量機(jī)(SVM)的異常流量檢測系統(tǒng)。根據(jù)經(jīng)典CIDF入侵檢測系統(tǒng),設(shè)計了異常流量檢測系統(tǒng)總框架,其包括了數(shù)據(jù)信息提取、數(shù)據(jù)預(yù)處理以及異常流量檢測模型。結(jié)合異常流量攻擊特點(diǎn)和二分類SVM,設(shè)計了基于多分類SVM的檢測模型。在linux平臺下結(jié)合libsvm軟件實現(xiàn)了多分類SVM檢測模型的構(gòu)造,并進(jìn)行了測試。本文針對工業(yè)控制網(wǎng)絡(luò)的各類攻擊,設(shè)計的訪問控制防御模型和基于多分類SVM的異常流量檢測系統(tǒng),對工控信息安全的發(fā)展有著積極的意義。
[Abstract]:In recent years, attacks against industrial control networks occur frequently, which seriously threaten the security of countries and important production departments and cause great economic losses. The most typical attack on Iran's nuclear equipment was the earthquake net virus. Because the industrial control network was applied in the closed network environment at the beginning of the design, it did not consider the information security thoroughly, so that the defects of the industrial control network were completely exposed, so that the intruders could take advantage of it, thus launching all kinds of attacks. In view of this, this paper designs a security scheme for various attacks to protect the information security of industrial control network. The main work is: 1. The structure and structural characteristics of industrial control network are studied. The vulnerability of industrial control network is analyzed, and the defense scheme of industrial control network is put forward. The second level of defense in the total scheme is studied, and the attack defense scheme. 2 is designed for attack based on malicious data packet, deceptive attack and abnormal traffic attack, and deceptive attack against attack based on malicious packet, deceptive attack, etc. An access control defense model is designed. According to the principle of access control, the general framework of access control defense model is designed, which includes two parts: data information extraction and security policy. The security domain, whitelist and security strategy for deceptive attack and syn flood attack are designed. The above security strategy is implemented under the netfilter/iptables framework of linux platform, and the outlier flow detection system based on multi-class support vector machine (SVM) is designed for the abnormal traffic attack of industrial control network. According to the classical CIDF intrusion detection system, the general framework of anomaly traffic detection system is designed, which includes data information extraction, data preprocessing and abnormal traffic detection model. Combined with the characteristics of abnormal traffic attack and two-class SVM, a detection model based on multi-classification SVM is designed. The multi-class SVM detection model is constructed based on linux and libsvm software, and tested. This paper aims at various kinds of attacks of industrial control network, designs the access control defense model and the abnormal flow detection system based on multi-class SVM, which has positive significance for the development of industrial control information security.
【學(xué)位授予單位】：電子科技大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2016
【分類號】：TP393.08

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 ;工業(yè)控制網(wǎng)絡(luò)安全系列之四 典型的工業(yè)控制系統(tǒng)網(wǎng)絡(luò)安全事件[J];微型機(jī)與應(yīng)用;2015年05期

2 李航;朱廣宇;;建立健全我國工業(yè)控制系統(tǒng)信息安全體系[J];微型機(jī)與應(yīng)用;2015年01期

3 盧坦;林濤;梁頌;;美國工控安全保障體系研究及啟示[J];保密科學(xué)技術(shù);2014年04期

4 王得金;江常青;彭勇;;工業(yè)控制系統(tǒng)上基于安全域的攻擊圖生成[J];清華大學(xué)學(xué)報(自然科學(xué)版);2014年01期

5 傅戈;周年榮;文紅;;智能電網(wǎng)工業(yè)系統(tǒng)通信控制協(xié)議的安全研究[J];信息安全與技術(shù);2014年01期

6 朱世順;黃益彬;朱應(yīng)飛;張小飛;;工業(yè)控制系統(tǒng)信息安全防護(hù)關(guān)鍵技術(shù)研究[J];電力信息與通信技術(shù);2013年11期

7 陳亞亮;楊海軍;姚欽鋒;戴沁蕓;;工業(yè)控制系統(tǒng)網(wǎng)絡(luò)安全防護(hù)體系研究[J];信息網(wǎng)絡(luò)安全;2013年10期

8 夏德海;;論工控系統(tǒng)安保攻防理念[J];信息安全與技術(shù);2013年10期

9 胡建鈞;;工業(yè)控制系統(tǒng)信息安全[J];自動化博覽;2013年01期

10 陳星;賈卓生;;工業(yè)控制網(wǎng)絡(luò)的信息安全威脅與脆弱性分析與研究[J];計算機(jī)科學(xué);2012年S2期

相關(guān)博士學(xué)位論文 前1條

1 王保義;電力信息系統(tǒng)信息安全關(guān)鍵技術(shù)的研究[D];華北電力大學(xué)（河北）;2009年

相關(guān)碩士學(xué)位論文 前2條

1 王維劍;基于netfilter/iptables防火墻的設(shè)計與實現(xiàn)[D];安徽理工大學(xué);2012年

2 劉飛霞;Linux內(nèi)核中Netfilter/Iptables防火墻設(shè)置分析[D];西安電子科技大學(xué);2012年

，

本文編號：1816079