The purpose of the work is to increase the security of the industrial network of an automated process control system based on intelligent network traffic analysis algorithms. The analysis of the problem of detecting and recording actions of violators on the implementation of a network attack on an automated process control system in the industrial network of an enterprise has been performed. A structural and functional model of the monitoring system of the industrial network of industrial control systems is proposed. An algorithm is developed for the intellectual analysis of network traffic of industrial protocols and a software package that implements the proposed algorithms as part of a monitoring system to evaluate the effectiveness of the proposed solution on field data.
Security of the critical infrastructure of automated process control system (APCS) [
Today, there is a transition to automated digital production, controlled by intelligent systems in real
time, in constant interaction with the external environment, going beyond the boundaries of one
enterprise, with the prospect of combining into a global industrial network of things and services. This
approach is developed in the concept of “Industry 4.0” and describes the current trend in the
development of automation and data exchange, which includes cyber-physical systems, the Internet of
things and cloud computing [
Network security is becoming one of the main directions in the development of information
security through the use of a set of technical means [
Thus, it can be concluded that the network attacks detection systems based on the use of artificial
intelligence methods as a key element of ensuring cybersecurity of the critical infrastructure [
The research goal is to increase the effectiveness of network attack detection system by using a
neural network analysis module as part of the IDS. To achieve this goal, it is necessary to solve the
following tasks:
• Analysis of the problem of detecting network attacks in industrial networks APCS.
• Development of the structure of the system for monitoring the industrial network of APCS;
• Development of algorithms for intellectual analysis of network traffic of industrial networks;
Development of a software package that implements the proposed algorithms as part of a monitoring
system, and an assessment of the effectiveness of the proposed solution on full-scale data.
2. Analysis of the problem of detecting network attacks in industrial networks
The process of automation of industrial production continues to evolve: the number of “intelligent”
terminal devices is increasing, the number of microcontroller-based computing systems involved in
the process control and process control is growing. Under these conditions, the role of data collected at
all levels of the process control system significantly increases. Requirements imposed by consumers of
this information are increasingly being tightened in terms of the volume, speed and reliability of data
acquisition, as well as information security of the entire system [
An industrial network is a data transmission environment that must meet a variety of diverse, often contradictory requirements; a set of standard data exchange protocols that allow to link equipment together (often from different manufacturers), and also to ensure interaction between the lower and upper levels of the enterprise management system.
In IIoT, the main types of “things” that need to be connected to the network are various types of sensors and actuators. These devices, on the one hand, have an interface with a communication network, and on the other hand, an interface that provides physical interaction with the process to be monitored (Ethernet, Wi-Fi, cellular networks, Sigfox, LoRa, ZigBee, etc.).
Not so long ago, the hierarchy of the APCS had a clear boundary between the levels. The trends of recent years have made this structure much more complex and diffuse. The automated process control system is more and more integrated with the automated control system, and through it inevitably enters the sphere of Internet technologies. Unification of the corporate and industrial network of an enterprise inevitably poses a serious problem of information security of the industrial network of industrial control systems.
The traditional process control system is a real-time system. To ensure error-free process control,
continuous process operation monitoring is necessary [
requirements of regulators (FSTEC №31)
+ + + +
for Networks,
+
The following main threats to the security of an industrial network can be identified [
Summary information of the information security systems of automated process control systems shown in Table 1.
network traffic network network traffic without intervention,
Intervention in (SPAN / TAP), traffic (unidirectional integration with
technological but contains an (SPAN-ports) gateway) intrusion prevention
process intrusion system is possible
prevention
system
cSAeoPrftCtiwfSicaraetiodnevfeolroper (SEWWimeinimenCreCsCnoCsn, OA), - - Honeywell Experion
An example of the use of wireless sensor networks is the use of wireless sensor networks in
electrical substations [
center that collects information from external monitoring and security systems channels for transmitting telemetric information such as: power flows in the power system, control of active and reactive power, frequency and voltage in certain areas to the control room. Due to the transition from wired to wireless network technologies to collect telemetry data, network security is determined not only by hardware and software solutions for industrial controllers and sensor nodes, but also by the chosen principles of their information interaction during the synthesis of network topology, determination of routing parameters and data transmission.
A wireless sensor network [
Most information security threats in wireless networks are similar to threats and attacks on wired
networks, except that wireless networks are harder to protect due to the use of an open medium as a
data transmission channel and the broadcast nature of wireless connections. Network protection is
complicated due to limited resources: the energy of an autonomous power source and computing
resources. Such limiting characteristics make traditional security measures, for example, the use of
complex encryption algorithms, multifactor authentication, firewalls, etc. [
The current trend in the development of the transport environment of industrial networks is the use of self-organizing wireless networks with equal rights of nodes, a dynamically changing topology, the possibility of reconfiguration, self-healing, dynamic routing, etc.
The classification of attacks on wireless sensor networks in the direction of impact is given in [
Active attacks are various modifications of data during communication by unauthorized persons.
Of most interest are routing attacks implemented at the network level. The most common attacks are
presented in [
Wireless Intrusion Detection System – WIDS [
There are two groups of methods: learning with a teacher (supervised) showed in Table 2, and
uncontrolled learning (without a teacher) showed in Table 3 [
multiple states
4. Development of the structure of the system for monitoring the industrial network of APCS Figure 1 shows network structure of an enterprise with tools for collecting and analyzing network traffic of a network intrusion detection system (IDS).
The structure of the network attack detection system based on data mining is shown in the Figure 2. At the first stage, network traffic is captured. In Figure 1, the numbers indicate the following components: 1 is a router as a means of collecting incoming / outgoing network traffic, 2 is a router as a means of collecting traffic within the enterprise network. The collection of necessary data is performed using the package sniffer.
DCS OPC-client
DCS OPC-client
DCS OPC-client
PLC
PLC
PLC
PLC
Sensors and actuators
The second stage identifies the most significant parameters that characterize network activity. ERP/MES level
DMZ
WEB services
IPS/IDS DMZ DB and data collection
Internet 1 2
DB Application
server AD
File Server
Department network
Department
network
LAN of control level Industrial network
At the third stage, detection and classification of attacks is carried out. The results of this recognition are transmitted to related systems for reporting and visualization, depending on the capabilities and specifics of adjacent systems. In addition, information about the attack on the APCS is added to a special archive designed to investigate cybersecurity incidents by authorized specialists and managers. 5. Development of algorithms for intellectual analysis of network traffic of industrial networks An effective network attack detection system based on artificial intelligence methods can be built only with a high-quality dataset of training and test samples that simulates various intrusions.
KDDCUP99 – intrusion detection dataset based on the data set DARPA 98, is one of the only
publicly available labeled data set [
Each entry has 41 attributes describing the various functions of the connection, and the label assigned to each of them: attack or normal connection.
Dataset UNSW-NB15 [
Internet Gateway for capturing incoming network traffic
Local computing
network network traffic capture
node Module for collecting and primary filtering of network traffic (forming a dump of a captured set of Ethernet frames)
Dump of analyzed traffic
Module for extracting signatures by the protocols of OSI model levels decrypted TCP/IP stack hierarchy protocol packets network traffic parser according to the protocols of OSI model levels (extraction and decoding packets of higher levels
protocols) decrypted TCP/IP stack hierarchy protocol packets for correlation with the dump of accumulated
Ethernet traffic
extracted signatures
Aatack signatures
Signature analysis module
TCP/IP stack packets marked with attack type data for of thaetdrNadiiNtnioinmngaoldule Modulepfroimriadreyntifying
characteristics of typical traffic patterns database of network attacks
signs Decision about the presence and type of Output NN vector attack primary signs of marked traffic Module for identifying significant features
using PCA Primary component vector
Neural network clasifier e l u d o m k r o w t e n l a r u e
N
Each entry in this set contains attributes that describe the various functions of the connection, and
the label assigned to each of them: attack or normal connection [
The comparative table (Table 5) of the NSL-KDD and UNSW-NB15 methods is shown below:
• number of classes of attacks is more than 2 times; • test stand contained 33 subnets (NSL-KDD – 2 subnets); • when collecting traffic on the network, 45 IP addresses participated in the exchange of information against 11 in NSL-KDD; • traffic was collected by several means (in NSL-KDD - Bro-IDS); • UNSW-NB15 set contains more attributes for the record (49 vs. 42 in NSL-KDD).
At the moment, in relation to industrial networks the following types of network attacks can be distinguished (Table 6).
Of all types of attacks implemented in the industrial network, network attack detection systems are able to most effectively cope with network intelligence, DoS attacks, as well as various types of injections and buffer overflow attacks. IDS is a practically universal tool capable of detecting most types of attacks implemented on an industrial network.
Main steps of the network traffic analysis algorithm in the industrial network are presented in the Table 7.
Analysis stage Extract traffic Feature selection Classification 6. Development of a software package that implements the proposed algorithms as part of a monitoring system Table 8 presents the parameters of two common data sets used to build and test network attack detection systems. The choice is made in favor of the UNSW-NB15 data set.
Protocol
Label Unique adresses
Analysis stage Duration of data collection
Amount of threads Number of bytes of packet sender Number of bytes of packet recipient
Number of sender packets Number of recipient packets
TCP UDP ICMP Other Normal Attack
Sender Recipient
When pre-processing the parameters of the selected data set UNSW-NB15, the attack classes containing less than 5000 examples are excluded from the training set (Table 9).
Categorical variables are coded into numeric ones. The entire data set is divided into a training and test sample in the ratio of 75% to 25%.
In order to compare the effectiveness of the use the classifier for a specific task, it is necessary to
compare the learning results of these classifiers on real data sets. To quantify the classifiers, the
following coefficients are applied [
A sensitive diagnostic test is called overdiagnosis – the maximum prevention of missing malicious code.
Classifier Decision Trees Committee (RFT) Multilayer perceptron (MLP) Decision Trees Committee (RFT) + main component method for feature selection Classifier based on k-nearest neighbors Multilayer perceptron + Autoencoder
The number of neurons in the hidden layer was selected during training to achieve the minimum error on the test sample, the activation function of the hidden layer neurons is the hyperbolic tangent; The number of 5000 epochs of learning, the learning algorithm is conjugate gradients.
Before the classification, features are selected by the method of principal components. The maximum number of nodes of the decision tree is assumed to be 100. The results of the work of the “decision trees” method using feature selection by the principal component method on the test sample are presented in Table 12.
The maximum number of nodes in the decision tree is assumed to be 250. The results of the “decision trees” method are presented in table 11.
Parameter k was hit to achieve optimal error on the test sample.
∈ [5; 100] Before making a classification, features are selected using a two-layer neural network autoencoder
In the course of the research, a series of experiments were carried out, the essence of which consists in determining the presence of an attack and attributing it to a specific class (Table 10).
When using the “decision trees” method together with the principal component method for decreasing the dimension, the indicators decrease (sensitivity - by 8%, specificity - by 6.6%, the proportion of correctly recognized examples - by 8.5%), and require more time and computational resources.
process control systems was conducted: Kaspersky Industrial CyberSecurity, Silent Defense, PT Industrial Security Incidents Manager, Honeywell Risk Manager. 2) A structural scheme of a network attack detection system based on data mining techniques has been developed. 3) Analyzed the data sets of network traffic, suitable for modeling the traffic of the industrial network of enterprises: KDD99 CUP, NSL-KDD, UNSW-NB15 for the task of detecting network attacks. The UNSW-NB15 set is selected for use in the system, since the number of attack classes is twice as large; test stand contained 33 subnets (NSL-KDD – 2 subnets); in collecting traffic on the network, 45 IP addresses participated in the exchange of information against 11 in NSL-KDD; traffic collection was carried out by several means (in NSL-KDD – Bro-IDS); the UNSW-NB15 set contains more attributes in the record (49 vs. 42 in NSLKDD). 4) A software package has been developed that implements a comparative analysis of network attack detection algorithms. The most effective is the “decision trees” method with sensitivity indicators Sen = 1, specificity Spe = 0.9877, and the mean correct rate MCR = 89.67%.
This work was supported by the Russian Foundation for Basic Research, research №17-48-020095.