作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2020, Vol. 46 ›› Issue (7): 36-42. doi: 10.19678/j.issn.1000-3428.0057547

• 热点与综述 • 上一篇    下一篇

基于工控系统功能码特征的同源攻击分析

王建华, 陈永乐, 张壮壮, 连晓伟, 陈俊杰   

  1. 太原理工大学 信息与计算机学院, 太原 030024
  • 收稿日期:2020-03-02 修回日期:2020-04-14 发布日期:2020-07-08
  • 作者简介:王建华(1995-),男,硕士研究生,主研方向为物联网安全;陈永乐,副教授、博士;张壮壮、连晓伟,硕士研究生;陈俊杰,教授、博士。
  • 基金资助:
    山西省自然科学基金(201701D111002,201601D021074);山西省重点研发项目(201903D121121)。

Same Origin Attack Analysis Based on Features of Industrial Control System Function Code

WANG Jianhua, CHEN Yongle, ZHANG Zhuangzhuang, LIAN Xiaowei, CHEN Junjie   

  1. College of Information and Computer, Taiyuan University of Technology, Taiyuan 030024, China
  • Received:2020-03-02 Revised:2020-04-14 Published:2020-07-08

摘要: IP溯源是追踪攻击者源头的主要方法,工业控制系统(ICS)需要精确的IP溯源以提高其防护能力。现有IP溯源方法存在开销大、恶意IP所属组织识别效率低的问题。为此,通过采集和分析ICS蜜罐数据,提出一种基于工控协议功能码特征的同源攻击分析方法,以识别攻击行为相似的组织并提高IP溯源的效率和准确性。用工控协议功能码的粗粒度统计特征和细粒度序列特征来量化攻击行为,采用粗糙集和聚类模型分别对2类特征进行建模,在此基础上分析蜜罐数据中的同源攻击。实验结果表明,该方法具有较高的准确率和召回率,结合威胁情报后能够在蜜罐数据中发现包括shodan在内的10个恶意组织。

关键词: IP溯源, 工业控制系统, 功能码序列, 同源攻击分析, 恶意组织

Abstract: IP traceback is one of the main methods of attack group identification.Industrial Control System(ICS) need accurate IP traceback to improve their self-protection.However,existing IP traceback methods are costly and inefficient in identification of the group a malicious IP belongs to.To address the problem,by collecting and analyzing the honeypot data of ICS,this paper proposes a same origin attack analysis method based on ICS function code features,so as to find out the attack group with similar attack behavior and improve the efficiency and accuracy of IP traceback.This method uses coarse-grained statistical features and fine-grained sequence features of industrial control function codes to quantify the attack behavior.Then the two kinds of features are modeled by using coarse set and clustering model.On this basis,the same origin attacks in honeypot data are analyzed.Experimental results show that the proposed method can use threat intelligence to discover more than 10 malicious groups including shodan in honeypot data with a high accuracy and recall rate.

Key words: IP traceback, Industrial Control System(ICS), function code sequence, same origin attack analysis, malicious group

中图分类号: