Journal of Frontiers of Computer Science and Technology ›› 2015, Vol. 9 ›› Issue (3): 352-359.DOI: 10.3778/j.issn.1673-9418.1406034

Previous Articles     Next Articles

Detection of Advanced Persistent Threats in SCADA Communication Network

WANG Chuan?an1+, ZHANG Tianhui2, ZHAO Haiyan1, ZHOU Guangxin1   

  1. 1. Anhui Science and Technology University, Fengyang, Anhui 233100, China
    2. Tsinghua Tongfang Co., Ltd., Beijing 100083, China
  • Online:2015-03-01 Published:2015-03-09

SCADA系统通信网中的高级持续性攻击检测方法

王传安1+,张天会2,赵海燕1,周广新1   

  1. 1. 安徽科技学院,安徽 凤阳 233100
    2. 清华同方股份有限公司,北京 100083

Abstract: Advanced persistent threat (APT) as a new attack, has become a major threat to the security of SCADA (supervisory control and data acquisition) systems, while the existing intrusion detection technology can not effectively deal with this type of attack, so the research on valid APT detection model is very significant. This paper proposes a new APT attack detection method. In this method, behavior patterns of the logging behavior are characterized by characteristic substring sequences of different lengths, and sequence supports are employed to construct the normal behavior profiles. Considering the complex characteristics of APT attack, this paper proposes a detection model based on similarity matrix matching and preset threshold to determine that the logging behavior is normal or anomalous. Through the comparative analysis, the detection method proposed in this paper shows good detection performance.

Key words: SCADA system, advanced persistent threat (APT), behavior pattern, matrix similarity

摘要: 高级持续性攻击(advanced persistent threat,APT)作为一种新型攻击,已成为SCADA(supervisory control and data acquisition)系统安全面临的主要威胁,而现有的入侵检测技术无法有效应对这一类攻击,因此研究有效的APT检测模型具有重要的意义。提出了一种新的APT攻击检测方法,该方法在正常日志行为建模阶段改进了对行为模式的表示方式,采用多种长度不同的特征子串表示行为模式,通过基于序列模式支持度来建立正常日志行为轮廓;在充分考虑日志事件时序特征的基础上,针对APT攻击行为复杂多变的特点,提出了基于矩阵相似匹配和判决阈值联合的检测模型。通过对比研究,该检测方法表现出了良好的检测性能。

关键词: SCADA系统, 高级持续性攻击(APT), 行为模式, 矩阵相似度