US 11,657,150 B2
Two-dimensionality detection method for industrial control system attacks
Tianju Sui, Liaoning (CN); Qingfeng Liu, Liaoning (CN); and Ximing Sun, Liaoning (CN)
Assigned to DALIAN UNIVERSITY OF TECHNOLOGY, Liaoning (CN)
Filed by DALIAN UNIVERSITY OF TECHNOLOGY, Liaoning (CN)
Filed on Aug. 12, 2022, as Appl. No. 17/887,027.
Claims priority of application No. 202111054018.6 (CN), filed on Sep. 9, 2021.
Prior Publication US 2023/0076346 A1, Mar. 9, 2023
Int. Cl. G06F 21/55 (2013.01)
CPC G06F 21/554 (2013.01) [G06F 2221/031 (2013.01)] 1 Claim
OG exemplary drawing
 
1. A two-dimensionality detection method for industrial control system attacks, specifically comprising the following steps:
S1, collecting data from underlying sensors of an industrial control system in real time by an industrial control sensor network; transmitting the data to an industrial control system including a programmable logic controller (PLC) and an independent embedded attack detection system, wherein an embedded processor in the embedded attack detection system does not allow a host computer to update the embedded processor and a download port is not allowed to be connected online; uploading, PLC, the received sensor data to a supervisory control and data acquisition (SCADA) system, and meanwhile, receiving, by the embedded attack detection system, downlink data after statistics of the SCADA system through network cables;
S2, under the condition of no attack, refining, by the embedded attack detection system, independent data distribution characteristics of normal operation of each sensor in the industrial control system by reading the data collected by the sensors; the independent data distribution characteristics comprising types of probability distribution near a mean value point, estimated error covariance, and function relationships between variables abstracted based on internal physical relationships of the industrial control system; and storing a refined feature pattern in the embedded processor of stand-alone operation, recorded as a system health data model; and
S3, an attack detection method of the industrial control system comprises two-dimensionality;
first dimensionality: comparing the data collected directly by the sensors with statistical data of the SCADA system to detect an attacked condition of the SCADA system, recorded as a first level attack alert; a detection mode is: comparing system control variable data downstream from the SCADA system at the same timestamp with the sensor data directly read by the embedded attack detection system; if a difference exceeds a maximum quantization error range for data transmission, considering that the SCADA system has malicious intrusion;
second dimensionality: comparing a statistical pattern of the data collected directly by the sensors with the health data model to judge the attacked condition of the sensors, recorded as a second level attack alert; wherein the statistical pattern of the data collected directly by the sensors comprises the types of probability distribution, covariance sizes and the function relationships between the variables; a detection mode is: on the premise of not triggering the first level attack alert, firstly counting whether the function relationships between the mean values of variables of the sensors is within an allowable error range of health model function relationships; if beyond the range, considering that sensor drivers have malicious tampering; next, counting types of probability density distribution of the data of each sensor, and covariances, and comparing with the health data model; if a difference is beyond a confidence interval, considering that the sensor drivers have malicious tampering.