Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus

Abstract

A method for detecting physical intrusion attack in an industrial control system based on analysis of signals on serial communication bus is provided. This method comprises of actively sending a detection signal to communication bus via a bus controller in a serial communication bus network, sampling and analyzing signals on the communication bus by a monitoring device, performing differential comparison with a standard signal stored in the monitoring device database, detecting an intrusion signal in difference signal based on noise reduction technology and weak signal detection technology, and according to a detection result of the intrusion signal caused by an external device to effectively determine whether there is an external malicious device in the system, and whether the system is subjected to a physical intrusion attack.

Claims

1. A method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus, comprising steps of: actively sending signals for detecting to a communication bus via a bus controller in a serial communication bus network, sampling and analyzing the signals on the communication bus by a monitoring device, performing differential comparison with a standard signal stored in the monitoring device database, detecting an intrusion signal in a difference signal by noise reduction technology and weak signal detection technology, and according to a detection result of the intrusion signal caused by an external device, effectively determining whether there is an external malicious device in the system, and determining whether the system is subjected to a physical intrusion attack.

2. The method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, specifically comprising steps of: S1: monitoring a service condition of a serial communication bus in the industrial control system according to a set time period by the bus controller; if the communication bus is in an idle state, sending a detection signal once by the bus controller; if the communication bus is in a data transmission state, continuing to monitor and wait until the communication bus is in an idle state, and sending the detection signal once by the bus controller; S2: performing sampling, receiving and protocol analysis on all communication signals on the serial communication bus by the monitoring device deployed in the network; S3: analyzing signals after parsing and determine whether to start detecting physical intrusion attack in the industrial control system; S4: comparing signal data received with standard signal data in the database of monitoring device to obtain a difference signal therebetween; S5: detecting the intrusion signal on the difference signal; if the intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is subjected to the physical intrusion attack and continuing to execute S6; if no intrusion signal is detected in the difference signal, judging that the serial communication bus network of the industrial control system is not subjected to the physical intrusion attack and continuing to monitor the bus to receive a next communication signal; S6: according to a detection result of the intrusion signal, if the serial communication bus network of the industrial communication system is subjected to physical intrusion attack, reporting the detection result to the bus controller in the serial communication bus network, and making a quick judgment and an emergency response on the physical intrusion attack by the bus controller.

3. The method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein in the step S1, the detection signal is set according to a protocol specification of the serial communication bus, and the detection signal is different from all normal communication signals in the digital sequence, and the detection signal is only capable of being identified and analyzed by a corresponding monitoring device in the serial communication bus network, and the other devices are not capable of responding to detection signals.

4. The method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein the step S2 specifically comprises steps of: according to types of the serial communication bus in the industrial control system, performing protocol parsing on corresponding communication signals by adopting one corresponding protocol such as Modbus, CANBus, P-Net, ProfiBus, WorldFIP, ControlNet, FF or HART to obtain a digital signal sequence.

5. The method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein the step S3 specifically comprises steps of: S301: performing consistency detection on the digital signal sequence parsed in the step S2 and the digital sequence of the detection signal, if the signal received is the detection signal, starting detecting the physical intrusion attack in the industrial control system, and performing a step S302; if the signal received is not a detection signal, then making no response, and continuing monitoring the bus to receive the next communication signal; S302: according to a consistency detection result between the signal received and the detection signal, continuing to determine whether the monitoring device receives the detection signal for a first time; if the signal database of the monitoring device is empty, storing the received signal data in the local database, and considering the signal is a standard signal under normal conditions of the system; if the signal data is already stored in the signal database of the monitoring device, continuing performing the step S4.

6. The method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein in the step S5, the intrusion signal is a definite signal added to an original detection signal sent by the bus controller caused by the physical intrusion attack, and the intrusion signal has the same period with the detection signal.

7. The method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, wherein the step S5 specifically comprises steps of: S501: performing noise reduction processing on the difference signal data obtained in step S4; S502: by a weak signal detection technology, detecting and determining whether the intrusion signal exists in the difference signal according to a result of the weak signal detection

8. The method for detecting physical intrusion attack in the industrial control system based on analysis of signals on serial communication bus, as recited in claim 1, further comprising a step of: alerting a master station after receiving the detection signal of the physical intrusion attack by the bus controller.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0033] In order to more clearly illustrate the embodiments of the present invention or the current technical solutions, the drawings described in the preferred embodiments or the current technical solutions will be briefly described below.

[0034] FIG. 1 is a structure of RS485 bus in industrial control system according to a preferred embodiment of the present invention.

[0035] FIG. 2 is an equivalent model of RS485 bus in the industrial control system according to the preferred embodiment of the present invention.

[0036] FIG. 3 is a steady state model of RS485 bus in the industrial control system according to the preferred embodiment of the present invention.

[0037] FIG. 4 is a noise reduction result of digital averaging method from a difference signal by the monitoring device; wherein, FIG. 4 (a) is a difference signal before digital averaging processing, and FIG. 4 (b) is a difference signal after digital averaging processing.

[0038] FIG. 5 is a cross-correlation detection result from the difference signal by the monitoring device; wherein FIG. 5 (a) is the detection result with the intrusion signal, and FIG. 5 (b) is the detection result without intrusion signal.

[0039] FIG. 6 is a flow chart according to the preferred embodiment of the present invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

[0040] The preferred embodiments of the present invention provide a method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus, which solves the safety and security technology problem that the external devices can not be effectively detected by network defense methods in the serial communication bus network in the industrial control system.

[0041] The technical solutions of the embodiments of the present invention will be clearly and completely described in conjunction with the drawings in the embodiments of the present invention. The present invention provides a method for detecting physical intrusion attack which can deal with an attack scenario, that is, in the industrial control system RS485 bus network, the attacker implants an external device in the system through physical invasion, and uses the device to obtain communication information and forge control instructions to endanger the system security and stability. For specific analysis, see the following embodiments.

[0042] FIG. 1 is a network structure of RS485 communication bus 1 in an industrial control system, which is mainly composed of a bus controller 2 and various communication devices such as a measurement device 3 and a control device 4, all of which are connected in a daisy-chain structure. All devices are connected to the live line L, the neutral line N and the ground line E of the power transmission line. Among all devices, only the controller has the right to send signals to the bus. According to the communication mode of RS485, the signal phases of two signals on lines are opposite, and the difference between the two signals is taken as the receiving signal by other devices. The devices choose to filter or respond according to the address in the difference signal after the protocol parsing.

[0043] FIG. 2 is an equivalent model of RS485 communication bus in the industrial control system. In this model, the controller is equivalent to two synchronous opposite signal sources. The other communication devices are regarded as input impedance with fixed-value, and the matched resistance is connected at the ends of the transmission lines to eliminate the reflection. When the system is attacked by physical intrusion, an external device that the attacker accesses in the original system is also considered as the input impedance in the model. In order to better analyze the stable signal, the steady state model of RS485 communication bus is shown in FIG. 3.

[0044] In the steady state model, the transmission line is equivalent to impedance which is only related to the resistance of the transmission line itself and its inherent parameters such as length, thickness and material, different from the characteristic impedance. As shown in FIG. 3, Z.sub.i=(i=1, 2, . . . , n) represents the input impedance of ith device, Z.sub.M is the termination matched resistance, Z.sub.r is the internal resistance of the signal source, and Z.sub.i_i+1.sup.l(i=1, 2, . . . , n) represents the equivalent impedance of the transmission line between the ith device and the (i+1)th device in the steady state of the system, meanwhile, it is regarded the first device when i=0. The input impedance of an external device accessed by the attacker through the physical intrusion attack into the system is recorded as Z.sub.A.

[0045] Therefore, in the case that there is no external device accessed in the system, the following two iterative processes are required to calculate the system impedance of the steady state model in FIG. 3:

[0046] 1) Assign the initial value r.sub.0=Z.sub.r, and calculate the impedance after Z.sub.M:

[00001] $r_{i} = \frac{Z_{i} .Math. (Z_{i - 1 .Math._.Math. i}^{l} + r_{i - 1})}{Z_{i} + Z_{i - 1 .Math._.Math. i}^{l} + r_{i - 1}}, i = 1, 2, .Math. .Math., n$

[0047] 2) Calculate the impedance before Z.sub.M with the above iterative result r.sub.n:

[00002] $r_{n + 1} = \frac{Z_{n} .Math. (Z_{0} + r_{n})}{Z_{n} + Z_{0} + r_{n}}$ $r_{i} = \frac{Z_{2 .Math. n - i + 1} .Math. (Z_{2 .Math. n - i + 1 .Math._.Math. 2 .Math. n - i + 2}^{l} + r_{i - 1})}{Z_{2 .Math. n - i + 1} + Z_{2 .Math. n - i + 1 .Math._.Math. 2 .Math. n - i + 2}^{l} + r_{i - 1}}, i = 1, 2, .Math. .Math., 2 .Math. n$

[0048] When an attacker accesses an external device into the system through physical intrusion attack, assuming that the access location of the external device is between the kth device and the (k+1)th device, the above two impedance iterative calculation will be changed:

[0049] 1) While calculating r.sub.k to r.sub.k+1:

[00003] $r_{x} = \frac{Z_{A} .Math. (.Math. .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{k})}{Z_{A} + .Math. .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{k}} .Math. .Math. r_{k + 1} = \frac{Z_{k + 1} .Math. [(1 -) .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{x}]}{Z_{k + 1} + (1 -) .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{x}}$

[0050] 2) While calculating r.sub.2nk to r.sub.2nk+1:

[00004] $r_{y} = \frac{Z_{A} .Math. [(1 -) .Math. .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{2 .Math. n - k}]}{Z_{A} + (1 -) .Math. .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{2 .Math. n - k}} .Math. .Math. r_{2 .Math. n - k + 1} = \frac{Z_{k + 1} .Math. (.Math. .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{y})}{Z_{k + 1} + .Math. .Math. Z_{k .Math._.Math. k + 1}^{l} + r_{y}}$

[0051] For such an attack situation, combined with FIG. 3 and the derivation of the above system impedance, a method for detecting physical intrusion attack in an industrial control system based on analysis of signals on serial communication bus is specifically described, which includes the following steps:

[0052] When the system first uses the method for detecting physical intrusion attack of the present invention, the specific execution process and steps are as follows:

[0053] Step S1: The bus controller in the RS485 communication bus network monitors the bus usage state, and when detecting that the bus is in an idle state, sends a detection signal U(t) to the two RS485 signal lines, the detection signal is a square wave signal with a period of 200 s and an amplitude of 5V to 5V;

[0054] Step S2: The monitoring device deployed in the RS485 communication bus network collects signals on the bus. According to the steady state model of FIG. 3, it is assumed that the device at the mth position in the system is a monitoring device, and then when the bus controller sends the detection signal U(t), the differential signal of two signals on transmission lines is:

V.sub.diff(m,t)=2(.sub.m.sub.m)U(t)+(t)

[0055] Wherein (t) is the sum of the environment noise and the measurement noise, and .sub.m, .sub.m are the voltage signal partition coefficient at the mth monitoring device:

[00005] $_{m} = \frac{{.Math.}_{j = 1}^{m} .Math. .Math. r_{2 .Math. n - j + 1}}{(r_{2 .Math. n} + Z_{r} + Z_{0 .Math._.Math. 1}^{l}) .Math. {.Math.}_{j = 2}^{m} .Math. (r_{2 .Math. n - j + 1} + Z_{j - 1 .Math._.Math. j}^{l})};$ $_{m} =_{m} .Math. \frac{{.Math.}_{j = m}^{n} .Math. r_{j}}{(r_{n} + Z_{M}) .Math. {.Math.}_{j = m}^{n - 1} .Math. (r_{j} + Z_{j .Math._.Math. j + 1}^{l})};$

[0056] Then the monitoring device will parse the signal according to the RS485 common protocol-ModBus protocol to obtain the corresponding digital signal sequence;

[0057] Step S3: The monitoring device analyzes and processes the parsed signal, and specifically includes the following steps:

[0058] Step S301: Perform consistency detection on the digital sequence of the received signal and the digital sequence of the detection signal. If the two sequence are inconsistent, this indicates that the received signal is not the detection signal and the monitoring device continues to maintain the monitoring state; If the two sequence are consistent, this indicates that the detection signal is received, and the process goes to step S302;

[0059] Step S302: The monitoring device determines whether the detection signal is received for the first time. After detecting the local signal database of the device, if there is no data in the database, it is determined that the detection signal at this time is a standard signal in the initial state of the system, and the standard signal will be stored in the signal database and the physical intrusion attack detection process will be ended.

[0060] When the system does not uses the method for detecting physical intrusion attack for the first time, the specific execution process and steps are as follows:

[0061] Step S1: When the RS485 bus is in an idle state, the bus controller sends a detection signal to the two signal lines of RS485 which is inversely processed according to the RS485 balanced transmission mode;

[0062] Step S2: The monitoring device collects the signals on the bus. According to the steady state model of FIG. 3, when the attacker accesses the external device through the physical intrusion attack, the detection signal collected by monitoring device becomes to:

V.sub.diff(m,t)=2(.sub.m.sub.m)U(t)+(t)

[0063] Wherein (t) is the sum of environment noise and measurement noise, and .sub.m, .sub.m become the following two cases:

[0064] 1) If the (k+1)th device is before the mth device:

[00006] $_{m}^{} =_{m} .Math. \frac{r_{y} (.Math. r_{2 .Math. n - k} + Z_{k .Math._.Math. k + 1}^{l})}{(r_{y} + .Math. .Math. Z_{k .Math._.Math. k + 1}^{l}) [r_{2 .Math. n - k} + (1 -) .Math. Z_{k .Math._.Math. k + 1}^{l}]}$ $_{m}^{} =_{m} .Math. \frac{r_{x} (.Math. r_{k} + Z_{k .Math._.Math. k + 1}^{l})}{[r_{x} + (1 -) .Math. .Math. Z_{k .Math._.Math. k + 1}^{l}] .Math. (r_{k} + .Math. .Math. Z_{k .Math._.Math. k + 1}^{l})}$

[0065] 2) If the kth device is after the mth device:

[00007] $.Math._{m}^{} =_{m}$ $_{m}^{} =_{m} .Math. \frac{r_{y} (r_{2 .Math. n - k} + Z_{k .Math._.Math. k + 1}^{l})}{(r_{y} + .Math. .Math. Z_{k .Math._.Math. k + 1}^{l}) [r_{2 .Math. n - k} + (1 -) .Math. Z_{k .Math._.Math. k + 1}^{l}]} .Math. \frac{r_{x} (r_{k} + Z_{k .Math._.Math. k + 1}^{l})}{[r_{x} + (1 -) .Math. Z_{k .Math._.Math. k + 1}^{l}] .Math. (r_{k} + Z_{k .Math._.Math. k + 1}^{l})}$

[0066] Then, the monitoring device parses the signal according to the RS485 common protocol-ModBus protocol, and obtains a corresponding digital signal sequence;

[0067] Step S3: The monitoring device analyzes and processes the parsed signal, and specifically includes the following steps:

[0068] Step S301: Perform consistency detection on the digital sequence of the received signal and the digital sequence of the detection signal. If the two sequence are inconsistent, this indicates that the signal is not a detection signal and the monitoring device continues to maintain the monitoring state; If the two sequence are consistent, this indicates that the detection signal is received, and the process goes to step S302;

[0069] Step S302: The monitoring device determines whether the detection signal is received for the first time. After detecting the local signal database of the device, since the standard signal is already stored in the database, the physical intrusion attack detection process is continued, and the process goes to step S4.

[0070] Step S4: differentially comparing the received detection signal data with standard signal data in the monitoring device signal database to obtain a difference signal between the two signals;

[0071] If the system is not attacked by physical intrusion, that means there is no external device, the result of the differential signal should be:

V.sub.diff(m,t)=(t)(t)

[0072] If the system is attacked by physical intrusion, that means there is at least one external device, the result of the differential signal should be:

V.sub.diff(m,t)=(t)+(t)(t)

(t)=2[(.sub.m.sub.m)(.sub.m.sub.m]U(t)

[0073] Among them (t) is the intrusion signal caused by the external device;

[0074] Step S5: detecting intrusion signal on the difference signal, wherein the detection processing and the step specifically include:

[0075] Step S501: performing noise reduction processing on the difference signal data; in the embodiment, using the digital averaging method to improve the SNR of the difference signal, and using MATLAB software to simulate the difference signal noise reduction processing. FIG. 4 is a noise reduction result of digital averaging method from a difference signal, and it can be seen from the figure that the digital averaging method can effectively reduce the influence of environmental noise and measurement noise on the difference signal;

[0076] Step S502: detecting whether the intrusion signal exists in the difference signal; the detection method in the embodiment uses the cross-correlation detection technology, and uses the MATALB software to perform the intrusion detection simulation on the difference signal. FIG. 5 shows the cross-correlation detection result from the difference signal and it can be seen from the figure that the cross-correlation detection technology can clearly distinguish the whether the intrusion signal exists in the difference signal to make a judgment for the physical intrusion attack of the system;

[0077] If the intrusion signal is detected in the difference signal, it is determined that the RS485 communication bus network has been subjected to a physical intrusion attack and continues to execute S6; if the intrusion signal is not detected in the difference signal, it is determined that the RS485 communication bus network is not subjected to a physical intrusion attack. The monitoring device turns to continue to monitoring state, and ends the processing of detecting the physical intrusion attack;

[0078] Step S6: According to the detection result of the intrusion signal, if the RS485 communication bus network is subjected to a physical intrusion attack, the detection result is reported to the RS485 controller, so that the controller can quickly judge and respond to the physical intrusion attack.

[0079] It can be seen from the above that by using the method for detecting physical intrusion attack proposed by the present invention, it is possible to quickly and accurately determine whether an external device exists in the system in the RS485 communication bus network, and determine that the system is subject to physical intrusion attacks.

[0080] One skilled in the art will understand that the embodiment of the present invention as shown in the drawings and described above is exemplary only and not intended to be limiting.

[0081] It will thus be seen that the objects of the present invention have been fully and effectively accomplished. Its embodiments has been shown and described for the purposes of illustrating the functional and structural principles of the present invention and is subject to change without departure from such principles. Therefore, this invention includes all modifications encompassed within the spirit and scope of the following claims.

Method for detecting physical intrusion attack in industrial control system based on analysis of signals on serial communication bus

Inventors

Cpc classification

Classification Explorer

H04L2012/40228

ELECTRICITY

Classification Explorer

G06F2221/033

PHYSICS

Classification Explorer

H04L12/40013

ELECTRICITY

Classification Explorer

G06F21/552

PHYSICS

Classification Explorer

G06F21/85

PHYSICS

Classification Explorer

H04L2012/40215

ELECTRICITY

Classification Explorer

H04L2012/40221

ELECTRICITY

Classification Explorer

H04L2012/40208

ELECTRICITY

Classification Explorer

G06F21/554

PHYSICS

Classification Explorer

G06F13/4282

PHYSICS

International classification

Classification Explorer

G06F21/55

PHYSICS

Classification Explorer

H04L12/40

ELECTRICITY

Classification Explorer

G06F13/42

PHYSICS

Abstract

Claims

Description