本文選題：工業(yè)控制網(wǎng)絡(luò) + 入侵檢測�。� 參考：《沈陽理工大學(xué)》2017年碩士論文

【摘要】：隨著信息技術(shù)與功能需求的發(fā)展,工業(yè)控制系統(tǒng)越來越多地與企業(yè)網(wǎng)和互聯(lián)網(wǎng)相連接,形成了一個開放式的網(wǎng)絡(luò)環(huán)境。工控系統(tǒng)網(wǎng)絡(luò)化發(fā)展導(dǎo)致了系統(tǒng)安全風(fēng)險和入侵威脅不斷增加,面臨的網(wǎng)絡(luò)安全問題也更加突出。由于工控網(wǎng)絡(luò)系統(tǒng)環(huán)境的特殊性,傳統(tǒng)的IT信息安全技術(shù)不能直接應(yīng)用于工業(yè)控制網(wǎng)絡(luò)的安全防護。本文根據(jù)工業(yè)控制網(wǎng)絡(luò)安全的需求特性,對工控系統(tǒng)的入侵檢測技術(shù)進行研究,建立基于加權(quán)支持向量機算法的異常行為檢測模型,以提高對攻擊操作的檢測性能。本文以Modbus/TCP工控網(wǎng)絡(luò)為研究對象,首先分析了Modbus/TCP工控網(wǎng)絡(luò)結(jié)構(gòu)和通信協(xié)議的安全性,并根據(jù)工業(yè)通信行為特性和通信協(xié)議規(guī)約,提出了基于異常行為操作模式的入侵檢測特征提取方法,包括直接選擇協(xié)議數(shù)據(jù)特征和構(gòu)造反映行為模式差異的連續(xù)性流量數(shù)據(jù)特征,該方法提取的流量數(shù)據(jù)特征能夠充分應(yīng)用于對通信行為的檢測判別,但可能存在冗余的檢測特征。由于冗余的流量數(shù)據(jù)信息不但影響了工控網(wǎng)絡(luò)通信的實時性,也降低了對異常行為的檢測率,本文利用粗糙集理論(RST)算法對檢測特征進行屬性約簡,以去除對異常攻擊檢測無用和干擾的信息,降低入侵檢測模型的復(fù)雜度和檢測時間,提高實際的入侵檢測系統(tǒng)應(yīng)用能力。由于工控網(wǎng)絡(luò)正常樣本的數(shù)據(jù)遠(yuǎn)多于異常樣本,傳統(tǒng)支持向量機算法不能解決由訓(xùn)練數(shù)據(jù)樣本類別之間的差異造成的影響,使得分類錯誤率傾向于小樣本類型數(shù)據(jù),即小樣本類別的數(shù)據(jù)分類錯誤率高。本文利用加權(quán)支持向量機算法建立通信行為的檢測模型,通過對數(shù)據(jù)類和數(shù)據(jù)樣本的加權(quán)處理,減小不同的樣本類別對支持向量機算法性能的影響,提高入侵檢測算法的適應(yīng)性。針對支持向量機檢測模型訓(xùn)練時間長、檢測率低的問題,本文采用改進的PSO算法對模型參數(shù)進行優(yōu)化,通過調(diào)整慣性權(quán)重提高PSO尋優(yōu)算法的全局最優(yōu)性和加快收斂速率,在經(jīng)過檢測模型參數(shù)優(yōu)化處理,不僅提高了對通信行為的檢測率,同時降低了誤報率和漏報率,進一步地增強了系統(tǒng)的安全防御能力,以滿足工控網(wǎng)絡(luò)入侵檢測高效性和實時性的要求。在對Modbus/TCP工控網(wǎng)絡(luò)安全分析和建立入侵檢測模型的基礎(chǔ)上,搭建了實際的工控網(wǎng)絡(luò)系統(tǒng)環(huán)境,進一步地對所提出的方法進行驗證分析。通過提取通信流量數(shù)據(jù),建立入侵檢測模型所需的訓(xùn)練和測試數(shù)據(jù)集,并進行仿真實驗。研究表明,基于加權(quán)支持向量機算法的入侵檢測模型有效提高了對異常攻擊行為的檢測能力,對增強工控網(wǎng)絡(luò)安全具有重要的意義。
[Abstract]:With the development of information technology and function demand, the industrial control system is more and more connected with the enterprise network and the Internet, forming an open network environment. The network development of industrial control system leads to the increasing security risk and invasion of the system, and the problem of network security is also more prominent. The special nature of the environment, the traditional IT information security technology can not be directly applied to the safety protection of the industrial control network. Based on the demand characteristics of the industrial control network security, this paper studies the intrusion detection technology of the industrial control system, and establishes an abnormal behavior detection model based on the weighted support vector machine algorithm, in order to improve the attack operation. In this paper, the Modbus/TCP industrial control network is used as the research object. First, the security of the Modbus/TCP industrial control network structure and communication protocol is analyzed. According to the characteristics of the industrial communication behavior and the protocol specification, an intrusion detection feature extraction method based on abnormal behavior mode is proposed, including the direct selection of the data features of the protocol and the data characteristics of the protocol. The feature of continuous flow data, which reflects the difference of behavior pattern, can be fully applied to the detection and discrimination of the communication behavior, but there may be redundant detection features. The redundant traffic data not only affects the real-time performance of the network communication of the industrial control network, but also reduces the detection of abnormal behavior. In this paper, we use rough set theory (RST) algorithm to reduce the attribute of detection, in order to remove the information of unuseful and interference detection, reduce the complexity and detection time of the intrusion detection model, and improve the application ability of the actual intrusion detection system. The support vector machine algorithm can not solve the influence caused by the difference between the classes of the training data samples, making the classification error rate inclined to the small sample type data, that is, the error rate of the data classification of the small sample class is high. Weighted processing, reducing the impact of different sample classes on the performance of SVM algorithm and improving the adaptability of the intrusion detection algorithm. Aiming at the problem of long training time and low detection rate in support vector machine detection model, the improved PSO algorithm is used to optimize the model parameters, and the PSO optimization algorithm is improved by adjusting the inertia weight. The optimality of the Bureau and the speed of convergence, which not only improves the detection rate of the communication behavior, but also reduces the false alarm rate and the false alarm rate, and further enhances the system's security defense capability to meet the requirements of the high efficiency and real-time performance of the industrial control network intrusion detection. In the Modbus/TCP industrial control network security network. On the basis of the full analysis and establishment of the intrusion detection model, the actual industrial control network system environment is built, and the proposed method is verified and analyzed. The training and test data sets required for the intrusion detection model are established by extracting the traffic data, and the simulation experiment is carried out. The intrusion detection model of the law effectively improves the detection ability of abnormal attack behavior, and is of great significance for enhancing the safety of industrial control network.

【學(xué)位授予單位】：沈陽理工大學(xué)
【學(xué)位級別】：碩士
【學(xué)位授予年份】：2017
【分類號】：TP393.08;TP273

【參考文獻(xiàn)】

相關(guān)期刊論文 前10條

1 尚文利;安攀峰;萬明;趙劍明;曾鵬;;工業(yè)控制系統(tǒng)入侵檢測技術(shù)的研究及發(fā)展綜述[J];計算機應(yīng)用研究;2017年02期

2 萬明;尚文利;曾鵬;趙劍明;;基于功能碼深度檢測的Modbus/TCP通信訪問控制方法[J];信息與控制;2016年02期

3 尚文利;李琳;萬明;曾鵬;;基于優(yōu)化單類支持向量機的工業(yè)控制系統(tǒng)入侵檢測算法[J];信息與控制;2015年06期

4 李駿驍;;多層差異網(wǎng)絡(luò)深度入侵?jǐn)?shù)據(jù)挖掘方法研究[J];計算機仿真;2015年04期

5 隋新;劉瑩;;入侵檢測技術(shù)的研究[J];科技通報;2014年11期

6 尚文利;張盛山;萬明;曾鵬;;基于PSO-SVM的Modbus TCP通訊的異常檢測方法[J];電子學(xué)報;2014年11期

7 張云貴;佟為明;趙永麗;;CUSUM異常檢測算法改進及在工控系統(tǒng)入侵檢測中的應(yīng)用[J];冶金自動化;2014年05期

8 馮慶華;;蟻群算法選擇特征與WSVM融合的網(wǎng)絡(luò)入侵檢測[J];江蘇建筑職業(yè)技術(shù)學(xué)院學(xué)報;2014年03期

9 曹明巖;;基于加權(quán)支持向量機的入侵檢測研究[J];淮海工學(xué)院學(xué)報(自然科學(xué)版);2014年03期

10 譚愛平;陳浩;吳伯橋;;基于SVM的網(wǎng)絡(luò)入侵檢測集成學(xué)習(xí)算法[J];計算機科學(xué);2014年02期

相關(guān)博士學(xué)位論文 前2條

1 賈銀山;支持向量機算法及其在網(wǎng)絡(luò)入侵檢測中的應(yīng)用[D];大連海事大學(xué);2004年

2 范昕煒;支持向量機算法的研究及其應(yīng)用[D];浙江大學(xué);2003年

相關(guān)碩士學(xué)位論文 前3條

1 王海鳳;工業(yè)控制網(wǎng)絡(luò)的異常檢測與防御資源分配研究[D];浙江大學(xué);2014年

2 畢孝儒;基于粗糙集屬性約簡和加權(quán)SVM的入侵檢測方法研究[D];西安科技大學(xué);2011年

3 廖明;加權(quán)支持向量機若干算法的研究及其應(yīng)用[D];湖南大學(xué);2011年

，

本文編號：1814124