工控系統(Industrial Control System, ICS)整合資訊技術(Information Technology, IT)與運營技術(Operational Technology, OT),是近年工業領域熱門的研究主題。 ICS 廣泛應用於控制與管理透過網路聯結的重要機器設備,若 ICS 遭受來源不明的網路攻擊,可能導致設備運作異常,因而造成巨大經濟損失甚至於影響人員的安危。因此,針對ICS 網路安全的研究是關鍵且必要的。 本篇論文提出一個關於ICS 網路安全的異常偵測與分類方法,用以偵測使用工業傳輸協定 Modbus 與 S7 Comm (S7 Communication) 的網路流量資料 (network traffic data)是否異常,並對異常資料進行分類。本論文提出的方法包含三項主要步驟,以最大化異常偵測與分類效果。首先,使用降噪自動編碼器 (Denoising Autoencoder, DAE) 去除資料中潛在的雜訊。其次,面對含有異常行為的不平衡(imbalanced)資料,採用SMOTE (Synthetic Minority Oversampling Technique) 與 Tomek link (T-Link) 結合的資料過採樣(oversampling)與欠採樣(undersampling)方法,用以增加特定樣本的特徵代表性。最後使用極限梯度提升(eXtreme Gradient Boosting, XGBoost)建立異常偵測與分類模型。 本篇論文採用真實鐵路工業ICS的Electra資料集,用以評估所提方法的效能並和其他相關方法進行比較。實驗結果顯示,本篇論文提出的異常偵測與分類的方法,相較於其他異常偵測方法有較佳的精確度 (precision)、召回率 (recall) 與 F1-score 。 ;The industrial control system (ICS), which integrates information technology (IT) and operational technology (OT), is a hot research topic in the industrial field in recent years. ICS is widely used to control and manage important machines and devices connected through networks. If the ICS suffers from network attacks, machines and devices may work abnormally, causing huge economic losses and even affecting the safety of personnel. Therefore, research on ICS network security is critical and necessary. This thesis proposes an anomaly detection and classification method for ICS network security to detect and classify abnormalities in network traffic data of industrial field protocols like Modbus and S7 Communication (S7 Comm). The proposed method contains three major steps, as shown below. First, it uses the denoising autoencoder (DAE) to remove potential noise in data. Second, in face of imbalanced data of abnormalities, the synthetic minority oversampling technique (SMOTE) and the Tomek link (T-Link) mechanism are used to oversample and undersample data to increase representative characteristics of particular samples. Finally, extreme gradient boosting (XGBoost) is used to build anomaly detection and classification models. The real-life railway industry ICS dataset Electra is used to evaluate the effectiveness of the proposed method. The evaluation results are compared with those of other related methods. The proposed method is shown to have better precision, recall and F1-score than others in terms of both anomaly detection and anomaly classification.
