臺灣博碩士論文加值系統

隨著工業4.0的興起，具有計算和通信能力的工業控制系統（Industrial Control System, ICS）設備的數量快速增加，已成為國家關鍵基礎設施中關鍵的一環 ，例如電力，石油和天然氣管道。雖然工業物聯網與工業控制系統的結合帶來了益處，卻也增加了網路風險，在過去幾起著名的工業控制系統安全事件中，例如：2015年烏克蘭電力網路受到駭客攻擊，成為世界第一起駭客攻擊造成電網大規模停電事件，當電力系統受到駭客破壞，停電不僅可能會造成經濟損失，也是國家安全的問題，因此，工業控制系統與關鍵基礎設施的網路安全議題在近年來受到高度的重視。
為了抵禦針對工業控制系統中的惡意攻擊，入侵偵測系統(Intrusion Detection System, IDS)是一個常用的措施，透過對系統行為、安全日誌或網路監測等資訊，進行研判、比對，然後檢測出系統的異常行為，進一步採取適當的應變與防護措施。
本研究提出一個基於特徵或規則的電力干擾與入侵偵測方法，偵測已知的電力系統干擾與網路攻擊。本方法從電力系統資料集，透過預處理將資料轉換成序列資料，再利用序列樣式探勘方法找出電力系統的頻繁行為子序列，然後進行電力系統干擾和攻擊類別的預測。實驗結果顯示，本方法的分類預測準確率最高可達92.7％。

In the era of Industry 4.0, the number of industrial control system (ICS) devices with computing and commu-nication capabilities is rising rapidly. Also, ICS becomes the master piece in the control and management of critical infrastructures, such as energy plants, oil and gas infrastructures, water distribution, and waste water collection systems. While the combination of Industrial Internet of Things (IIOT) and ICS does improve productivity, the risk of cyber security is also increasing. There are several well-known security incidents involving the information technology networks of critical infrastructures. Cybersecurity incidents on critical infrastructure could cause economic losses and serious damage to national security. Therefore, the cybersecurity of industrial control sys-tems and critical infrastructures has received high attention in recent years.
In order to defend against malicious attacks on industrial control systems, intrusion detection system (IDS) is a common measure. By comparing and analyzing the information of network behaviors, logs, or monitored data, the abnormal behaviors can be detected, which can trigger appropriate responses to protect systems.
This thesis proposes a signature-based detection method for predicting the classes of power disturbances and cyber-attacks in power systems. In this thesis, the power system data set are preprocessed and transformed into sequence data set. Sequential pattern mining algorithm is then used to find frequent subsequences, which are in turn used as classification patterns for classifying power system disturbances and cyber-attacks. The experimental results show that the accuracy of the proposed method is about 92.7%.

致謝 i
摘要 ii
Abstract iii
目錄 iv
表目錄 vi
圖目錄 vii
第1章 緒論 1
1-1 研究背景與動機 1
1-2 研究目的 2
1-3 主要貢獻 3
1-4 論文架構 4
第2章 相關研究 6
2-1 入侵偵測 6
2-2 序列樣式探勘 7
2-3 分類問題 11
2-4 序列資料下的分類 13
第3章 系統架構與演算法 19
3-1 系統架構 19
3-2 資料預處理 20
3-2-1 特徵選取 20
3-2-2 資料離散化 21
3-2-3 產生狀態 22
3-2-4 產生序列 23
3-3 建立序列樣式探勘模型 25
3-3-1 序列樣式探勘 25
3-3-2 擷取類別的代表性序列樣式 27
3-4 預測序列類別模型 28
3-4-1 樣式分數計算 29
3-4-2 類別分數計算 31
3-4-3 預測類別 33
第4章 系統實作與實驗 35
4-1 開發工具與實驗環境 35
4-2 實驗資料集 36
4-2-1 資料集概述 36
4-2-2 資料預處理 41
4-3 實驗設計 42
4-4 實驗結果 43
4-5 討論 49
第5章 結論與未來研究 50
5-1 結論 50
5-2 未來研究方向 51
參考文獻 52

[1]E. J. M. Colbert and A. Kott, Cyber-security of SCADA and Other Industrial Control Systems: Springer International Publishing, 2016.
[2]Wikipedia: Stuxnet. Available: https://en.wikipedia.org/wiki/Stuxnet[accessed 2018/11/22]
[3]Wikipedia: December 2015 Ukraine power grid cyberattack. Available:
https://en.wikipedia.org/wiki/December_2015_Ukraine_power_grid_cyberattack[accessed 2018/11/22]
[4]Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Available: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html[accessed 2018/11/22]
[5]Power System Attack Datasets -Mississippi State University and Oak Ridge National Laboratory. Available: http://www.ece.uah.edu/~thm0009/icsdatasets/PowerSystem_Dataset_README.pdf [accessed 2018/10/26]
[6]L. A. Maglaras et al., “Cyber security of critical infrastructures,” ICT Express, vol. 4, no. 1, pp. 42-45,2018.
[7]A. O. Otuoze, M. W. Mustafa, R. M. Larik, "Smart grids security challenges: Classification by sources of threats", J. Elect. Syst. Inf. Technol., vol. 5, no. 3, pp. 468-483, 2018, [online] Available: http://www.sciencedirect.com/science/article/pii/S2314717218300163.[accessed 2019/02/06]
[8]C.-W. Ten, J. Hong, C.-C. Liu, "Anomaly detection for cybersecurity of the substations", IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 865-873, Dec. 2011.
[9]Y. Zhang, L. Wang, W. Sun, R. C. Green, and M. Alam, “Distributed intrusion detection system in a multi-layer network architecture of smart grids,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 796–808, Dec. 2011.
[10]R. Mitchell and I.-R. Chen, “Behavior-rule based intrusion detection systems for safety critical smart grid applications,” IEEE Trans. Smart Grid, vol. 4, no. 3, pp. 1254–1263, Sep. 2013.
[11]J. Valenzuela, J. Wang, and N. Bissinger, “Real-time intrusion detection in power system operations,” IEEE Trans. Power Syst., vol. 28, no. 2, pp. 1052–1062, May 2013.
[12]U. Adhikari, T. H. Morris, S. Pan, "Applying non-nested generalized exemplars classification for cyber-power event and intrusion detection", IEEE Trans. Smart Grid.
[13]R. Agrawal and R. Srikant, “Mining Sequential Patterns,” Proc. 1995 Int’l Conf. Data Eng. (ICDE ’95), pp. 3-14, Mar. 1995.
[14]N. Lesh, M. J. Zaki, and M. Ogihara, “Scalable feature mining for sequential data,” IEEE Int Syst 15, pp. 48–56, 2000.
[15]J. Pei, J. Han, B. Mortazavi-Asl, J. Wang, H. Pinto, Q. Chen, U. Dayal, and M.C. Hsu, “Mining Sequential Patterns by Pattern-Growth: The PrefixSpan Approach,” Proc. of IEEE Transactions on Knowledge and Data Engineering, pp. 1424-1440, 2004.
[16]E. Tuzun, and J.Dalmau, “Limbic encephalitis and variants: classification, diagnosis and treatment,” The neurologist, Vol.13, No. 5, pp.261–271, 2007.
[17]Y. Zhao, H. Zhang, S. Wu, J. Pei, L. Cao, C. Zhang, H. Bohlscheid, "Debt detection in social security by sequence classification using both positive and negative patterns", Proc. ECML-PKDD, vol. 5782, pp. 648-663, 2009.
[18]G. Fernandes, and P. F. Owezarski, “Automated Classification of Network Traffic Anomalies,” Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 19, pp. 91–100. 2009.
[19]林金翰, “以樣式涵蓋率為主的序列資料分類模型”, 碩士論文, 中興大學資訊工程學系, 2012.
[20]N. Lesh, M. J. Zaki, and M. Ogihara, “Mining features for sequence classification,” Proc. of 5th ACM SIGKDD international conference on knowledge discovery and data mining, San Diego, California, USA, 1999, pp. 242-246.
[21]V. S. Tseng, and C. H. Lee, “CBS: A New Classification Method by Using Sequential Patterns,” Proceedings of SIAM International Conference on Data Mining, pp. 596-600, 2005.
[22]V. S. Tseng, and C. H. Lee, “Effective temporal data classification by integrating sequential pattern mining and probabilistic induction,” Expert Systems with Applications 36, pp. 9524-9532, 2009.
[23]T. P. Exarchos, M. G. Tsipouras, C. Papaloukas, and D. I. Fotiadis, “A two-stage methodology for sequence classification based on sequential pattern mining and optimization,” Data & knowledge Engineering 66, pp. 467-487, 2008.
[24]S. Pan, T. Morris, U. Adhikari, "Classification of disturbances and cyber-attacks in power systems using heterogeneous time-synchronized data", IEEE Trans. Ind. Informat., vol. 11, no. 3, pp. 650-662, Jun. 2015.
[25]S. Pan, T. Morris, U. Adhikari, "Developing a hybrid intrusion detection system using data mining for power systems", IEEE Trans. Smart Grid, vol. 6, no. 6, pp. 3104-3113, Nov. 2015.
[26]U. Adhikari, T. Morris, S. Pan, "Applying Hoeffding adaptive trees for real-time cyber-power event and intrusion classification", IEEE Trans. Smart Grid.
[27]林孟秋, “一個以序列樣式長度為考量的序列資料分類模型”, 碩士論文,中興大學資訊工程學系, 2011.
[28]Power System Attack Datasets -Mississippi State University and Oak Ridge National Laboratory. Available: http://www.ece.uah.edu/~thm0009/icsdatasets/multiclass.7z [accessed 2018/10/26]
[29]R. C. B. Hink, J. M. Beaver, M. A. Buckner, T. Morris, U. Adhikari, S. Pan, "Machine learning for power system disturbance and cyber-attack discrimination", Resilient Control Systems (ISRCS) 2014 7th InternationalSymposium, pp. 1-8, Aug 2014.