一种基于状态迁移图的工业控制系统异常检测方法

基于状态的工业控制系统入侵检测方法以其高准确率受到研究者的青睐，但是这种方法往往依赖专家经验事先定义系统的临界状态，且处理不了系统状态变量较多的情况.针对这一问题，提出一种新的基于状态迁移图的异常检测方法.该方法利用相邻数据向量间的余弦相似度和欧氏距离建立系统正常状态迁移模型，不需要事先定义系统的临界状态，并通过以下两个条件来判定系统是否处于异常：1）新的数据向量对应的状态是否位于状态迁移图内；2）前一状态到当前状态是否可达.文章建立了恶意数据攻击模型，并以田纳西-伊斯曼（Tennessee-eastman，TE）过程MATLAB模型作为仿真平台进行了仿真测试.仿真结果表明，该方法即使在系统遭受轻微攻击的情况下也有较好的检测结果，且消耗较少的时空资源.

An Anomaly Detection Method for Industrial Control Systems via State Transition Graph

State-based intrusion detection method for industrial control system is favored owing to its high accuracy, but this kind of method often relies on some critical states defined by expert experience beforehand and cannot deal with systems containing a number of variables. To handle this problem, a new anomaly detection method based on state transition graph is proposed. The proposed method constructs a normal state transition model of the system depending on the cosine similarity and Euclidian distance between two adjacent data vectors without any predefined critical states, and can determine whether the system is in the normal state or not according to the following two conditions:1) whether or not the current state calculated by the new data vector is in the state transition graph; 2) whether or not the previous state can reach the current state. To evaluate the method, a false data injection model is established and tested on a Tennessee-Eastman (TE) process simulated by MATLAB. The result shows that even when the attack is insensitive the method can still get good detection result and consume little time and space resource.