欢迎访问《电测与仪表》杂志社唯一官方网站

文章摘要

结合时延特征与安全评估的电力工控系统攻击溯源方法

Tracing method based on delay feature and security assessment for cyber-attack in power industrial control system

Received:March 09, 2023 Revised:April 01, 2023

DOI：10.19753/j.issn1001-1390.2025.10.001

英文关键词: power industrial control system, tracing for cyber-attack, delay feature, terminal security assessment, support vector machine

基金项目:国家自然科学基金资助项目(51977155)

Author Name	Affiliation	E-mail
HUANG Guirong	Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, School of Cyber Science and Engineering China Electric Power Research Institute	hd0603@qq.com
LI Jun’e^*	Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, School of Cyber Science and Engineering China Electric Power Research Institute	jeli@whu.edu.cn
WANG Yu	Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, School of Cyber Science and Engineering China Electric Power Research Institute	564943524@qq.com
ZHU Chaoyang	China Electric Power Research Institute	zhucy@epri.sgcc.com.cn
ZHOU Liang	China Electric Power Research Institute	zhouliang@epri.sgcc.com.cn
MIU Siwei	China Electric Power Research Institute	realxyth@sina.com

Hits: 112

Download times: 50

中文摘要:

现有网络攻击溯源方法主要针对互联网，不适用于实时性要求高、使用专用通信协议的电力工控系统。电力工控系统节点之间的端到端时延相对稳定，且大部分终端为资源有限且业务单一的嵌入式终端。因此，文中提出了一种结合时延特征与安全评估的网络攻击溯源方法。根据报文的时延特征构建时延特征库，用于与攻击报文的时延特征进行匹配以得到可疑终端列表；通过终端安全评估指标对可疑终端进行安全评估以定位攻击源。实验与分析表明，所提方法支持非IP(internet protocoal)网络的攻击溯源，且对工控终端性能的影响在可接受范围内，与已有细粒度溯源方法相比，部署相对容易。

英文摘要:

The existing cyber-attack tracing methods mainly focus on the Internet and are not suitable for power industrial control system (PICS) due to its high real-time requirements and special communication protocols. In PICS, the end-to-end delays between the nodes are consistent, and most of the terminals are embedded terminals with limited resources and a single business. Therefore, a tracing method based on delay feature and security assessment for cyber-attack is proposed in this paper. A delay feature library is built according to the delay features of messages, which can be matched with the delay feature of the attack message to obtain the suspicious terminals. The security assessment of suspicious terminals is performed by assessment indicators to locate the attack source. Experiments and analysis show that the proposed method can traceback in non-internat protocoal (IP) network, and the impact on the performance of terminals in PICS is within acceptable limits. Compared with existing fine-grained tracing methods, the proposed method is relatively easy to deploy.

View Full Text View/Add Comment Download reader