【作者】 杨金翠；

【导师】 方滨兴；

【作者基本信息】 北京邮电大学 ， 计算机科学与技术， 2013， 博士

【摘要】 物联网是当前在国际上非常受关注、涉及多个学科高度交叉的前沿热点研究领域,受到国内外学术界和工业界的高度重视,被认为是对21世纪产生巨大影响力的技术之一。目前,随着物联网技术的不断发展和成熟,人们逐渐将物联网与控制系统进行有效结合,使它们充分发挥各自的优势,并广泛应用于工业制造、航空航天、轨道交通、医疗卫生、军事、灾害应急响应等领域。物联网是一把双刃剑,它在给控制系统带来便利的同时,也带来了一些亟待解决的安全问题。长期以来,制造与生产企业的控制系统大部分是采用专用的、封闭的体系结构。然而,当控制系统与物联网相结合时,控制系统的体系结构就逐渐由封闭转向开放,工业以太网和实时以太网在控制回路中就会与远程互联,这就容易被黑客利用进行攻击。物联网环境下,传统的信息系统安全策略无法直接应用到工业控制系统中。因此,如何保护社会各行业基础设施和国家重要战略资源的安全,尽可能地减小和降低物联网在控制安全方面对国家和社会安全造成的隐患和风险,是物联网未来大规模应用前必须解决的核心问题之一。目前对物联网安全的研究大都关心两个要素：安全保护和隐私保护,其中安全保护是为了保护控制系统不被攻击,包括了传统安全问题考虑的一些属性,包括完整性、可用性、机密性等；隐私保护是为了保护用户信息不被攻击。但是当物联网在控制系统上做应用时,还需要考虑物联网的控制安全问题,即被控系统的安全问题。本文就从被控系统的安全问题角度出发,研究物联网环境下的控制安全关键技术。由于物联网环境下的控制安全是一个涉及面广泛而又复杂的课题,总有可能出现与所有已知模式不完全符合的新型安全缺陷。因此,要保护物联网免受各种可能类型(包括未知类型)的控制攻击是不切实际的,有效的防御措施是通过运用合理的安全性原则来避免物联网系统陷入容易被攻击的状况。所以,在研究具体的关键技术之前,本文首先提出了物联网环境下的控制安全应该遵循的基本原则,具体包括：综合防范原则、适度防范原则、异构冗余原则、适度分权原则、回路截断原则和最坏假定原则。要研究物联网环境下的控制安全关键技术,首先需要系统地、全面地分析物联网控制系统存在的安全问题,在有一个整体的认识之后,再对系统存在的每一种安全隐患研究相应的防御方法。从这个思想出发,本文首先研究了物联网环境下的通用控制系统安全模型,以该模型为基础,论文分别从来源安全、传输安全、算法安全及系统安全四个方面分别研究了一项物联网环境中的控制安全关键技术。论文的主要工作及创新点如下：(1)建立了物联网环境下的通用控制系统安全模型S-IoTC,为工业控制系统的安全研究提供了有力的理论基础支撑。论文通过分析面向工业控制的物联网的特点,提出了面向工业控制的物联网的标准体系结构。在标准体系结构的基础上,从被控系统的安全问题角度出发,通过分析物联网环境下控制系统面临的干扰因素,并经过形式化处理,提出了物联网环境下的通用控制系统模型IoTC及通用控制系统安全模型S-IoTC。论文详细论述了安全模型S-IoTC的组成部分以及典型的实现流程和算法。(2)提出了基于双向认证机制的数据来源安全防范方法,可以有效保障物联网控制环境下的数据来源安全。论文针对来源安全问题研究了物联网控制系统的双向认证机制,通过分析已有的基于询问-响应的RFID(Radio Frequency IDentification)认证协议应用于物联网控制系统这一特殊环境中的不足之处,提出了改进措施,并提出了一种适合物联网控制环境下,设备与设备或者设备与被控设备之间的双向认证机制。论文对该机制的认证过程进行了描述,给出了该机制的形式化定义和认证模型,对认证过程中的主要场景进行了数学描述。另外,论文还提出了在确保身份认证的基础上,进一步通过对位置信息认证和控制命令内容识别来保证系统安全的思想。并以震网病毒作为案例,利用本文的认证机制,给出了预防震网病毒的三种解决方案,验证了本文提出的认证机制的可用性。(3)提出了一种基于节点响应时间的带宽消耗攻击多等级检测预警模型,能够快速发现被攻击的节点,并能对物联网的数据传输态势进行有效预测。论文针对传输安全问题研究了应用于无线传感器网络带宽消耗攻击的多等级检测预警模型。首先依据节点响应时间在攻击发生前后的变化情况,提出了一种基于节点响应时间的带宽消耗攻击检测算法,用于检测受到带宽消耗攻击的节点。在检测算法的指导下,构建了针对带宽消耗攻击的监测分析预警模型,并在现有的实验环境下,对该模型进行了仿真实验。实验结果表明检测预警模型可以高效地侦测到带宽消耗攻击并及时发出告警信息。另外,论文还给出了针对不同等级的告警应该采取的应对措施,从而降低攻击造成的损失。(4)提出了一种面向物联网控制的高阶表决算法。论文针对算法安全研究了面向工业控制物联网的算法冗余设计方法,论述了算法级异构冗余的重要性。对常用的多数表决算法进行了改进,提出了一种改进的多数表决算法,并通过实验与标准多数表决算法、中值表决算法进行对比,证明了改进算法有更高的正确率与输出效率。文中还进一步提出了二次异构表决的高阶表决算法,可以进一步提高表决结果的正确率,为以后的容错仲裁模块设计提供了理论依据。论文将冗余设计应用在动车事故和法航飞机失事的解决方案中。(5)提出了基于仿真的复杂系统安全保障机制。论文针对系统安全研究了复杂系统的仿真与实时评估方法,提出了基于仿真的复杂系统安全保障机制。评估的流程主要包括实际系统和仿真系统的状态采集、对采集的状态信息进行实时评估、对评估结果的判定、同步仿真系统等。对于实时评估的过程,在原有成熟的度量方法的基础上进行改进,提出了相异系数的度量方法。对评估结果的判定过程设计了两种方法,一种是设定一个安全阈值,另一种是对评估的结果进行安全等级的判定。在仿真的过程中,为防止误差积累带来的安全问题,指出了同步仿真系统的重要性。综上所述,本文从物联网环境下控制安全问题出发,研究了物联网环境下控制安全的五个关键技术。论文创新点包括：建立了物联网环境下的通用控制系统安全模型S-IoTC;提出了基于双向认证机制的数据来源安全防范方法；提出了一种基于节点响应时间的带宽消耗攻击多等级检测预警模型；提出了一种面向物联网控制的高阶表决算法；提出了基于仿真的复杂系统安全保障机制。这些研究成果可以作为震网病毒、动车事故及法航飞机失事等几个重大事件的解决方案,说明本文提出的研究成果具有较好的实用性。本文的研究成果在科学研究和工程领域中具有重要的理论价值和实用价值。更多还原

【Abstract】 Nowadays, the Internet of Things (IoT) has become one of most hot issues in the world. IoT actually stands on the intersection of a variety of sciences and technologies, which non-doubtfully drawn a great attention from experts of both academic R&D and industrial application. IoT was also regarded as one of the most advanced technology in the21century to change the world. With the developments of technology, people tend to combine IoT with control systems efficiently so that it can be used in a variety of industries such as manufacturing, aerospace, rail transportation, health care, military, disaster emergency response and etc.Each coin has its two sides, so does IoT. While enjoying the benefits from IoT, people are becoming more and more concerned about its security. In the past, it was a closed and dedicated framework that was applied in control systems. When combining with IoT, however, the control system was challenged with an exposure to open environments rather than previous closed circumstance. For instance, Industrial Ethernet and real-time Ethernet may be linked with a remote internet in the control loop. The exposure risks become very high thanks to the hacker’s attack becomes easier in an open environment.Now that the traditional IT security technology can not be directly applied in IoT environment, here come the critical questions:How to protect the vast infrastructures and secure the strategic resources, How to reduce the exposure risks and the relevant impacts from IoT. Such issues must be highly addressed before IoT was widely used.The prevailing studies on IoT security issue mainly focused on two elements: system protection and privacy protection. The former protects the control system from being attacked. The latter protects user’s information from being attacked. For system protection, some traditional security technologies remain valuable with its attributes such as integrity, availability, confidentiality and etc. However, when control system was combined with IoT, not only the control system itself but also the target we want to control in IoT should be protected. That means a broad demand of control security became necessary.Based on above concepts, this article concentrates on the key technologies of control system under IoT’s environment. Considering the control security under IoT environment is a broad complex, any well-done existing technology might not be in perfect compliance with the IoT complexity. In another words, it is impractical to protect IoT from all possible types of attacks (includes unknown types of attacks). The effective defense measure is to set up reasonable security principles to avoid the system to be vulnerable. Prior to the specific study, let’s highlight the basic security principles as follows:1) comprehensive precaution principle,2) appropriate precaution principle,3) heterogeneous redundancy principle,4) moderate decentralization principle,5) loop truncation principle and6) the worst-scenario assumption principle.To study the key technologies of control security in IoT environment, a systematic troubleshooting is necessary. With a big picture well understood in mind as a whole, we can enter into the specific studies one by one. Starting from this logic, the paper firstly studies the universal control system security model of IoT’s environment. Based on this model, this paper studies the key technologies of control security in four aspects:source security, transmission security, algorithm security and system security. The innovative outcomes are as follows:(1) Sets up a universal control system security model "S-IoTC" in IoT’s environment to provide a strong fundamental theory support to security research of industrial control system. By analyzing the characters of IoT industrial control, we proposed the standard architecture for IoT industrial control. On the basis of the standard architecture, and from the aspect of the controlled system security, we analyzed the destructive factors in control system under IoT environment, formalized the process, and finally proposed the universal IoT control system model "IoTC" and the universal IoT control system security model "S-IoTC". Elaborations were made for "S-IoTC" contents, its typical implement process and algorithm.(2) Proposes the data source rejection method based on enhanced mutual authentication mechanism to effectively ensure data source security in the environment of IoT. Regarding to mutual authentication mechanism of the IoT control system, this article analyzed the shortages when the existing challenge-response Based RFID(Radio Frequency IDentification) authentication protocol under the special environment of IoT’s control system. With the improvement measures, we also gave a suitable mutual authentication mechanism for the control system of the IoT. The mechanism can be used either between device-to-device or between device-to-the device which was passively controlled. The article demonstrated the identification process, made the formal definition for authentication model, and made a mathematic description for the scenario of authentication process. In addition, the paper stretched its authentication scope to ensure system security by penetrating location information identification and control command contents recognition. As a case study based on the mutual authentication mechanism in this article, we worked out three solutions for Stuxnet virus prevention, verifying the validity of the proposed authentication mechanism.(3) Proposes a multi-level detection and early warning model based on the node response time for bandwidth consumption attack. The model can find the attacked node quickly and further effectively forecast data transmission situation of IoT. We studied the multi-level detection warning model for bandwidth consumption attack against transmission security issues in WSN. First of all, according to the node response time changes before and after the attack, the article raised a bandwidth consumption attack detection algorithm based on node response time to detect the node which was attacked by the bandwidth consumption. Secondly, guiding by the detection algorithm, we set up the analysis model for early warning and monitoring bandwidth consumption attacks. The relevant simulation was examined under the existing experimental environment, showing that the early warning detection model can efficiently detect bandwidth consumption attack and give the alarm information in time. Finally, the paper recommended one-on-one measures against the different alarm levels to reduce the impact caused by the attack.(4) Proposes a high-valence voting algorithm for IoT’s control system. Regarding to the algorithm security, we studied the algorithm redundancy design method for industrial control under IoT’s environment, highlighted the importance of the heterogeneous redundancy in algorithm level, and finally improved the majority-voting algorithm. An experiment was conducted to test the improved algorithm security. By comparing the improved voting algorithm to the standard majority-voting algorithm and the median-voting algorithm, the experiment showed that the improved voting algorithm has a better performance in both correction rate and output efficiency. Besides, the paper extended the improved voting algorithm to the high-valence voting algorithm of secondary heterogeneous voting. Such high-valence voting algorithm can further improve the correction rate of the voting results. Theoretically, it will provide the basis for the design of fault-tolerant arbitration module in the future. As case study, this paper applied the redundant design idea to work out the solution for Wenzhou Express Railway Collision Accident and Air France Flight Crash.(5) Proposes the security guarantee mechanism for complex system based on simulation. Regarding to system security, the paper studied the complex system simulation and the real-time assessment methods, and finally proposed the security guarantee mechanism under complex system based on simulation. The assessment process includes the status acquisition for both the actual system and the simulation system, the real-time evaluation for target status information, the assessment output determination, synchronization the simulation system and so on. For the real-time evaluation process, a dissimilarity coefficient measurement method was proposed to upgrade the original mature metric method. For the assessment output determination, two methods were discussed. One is to set a safety threshold, the other is to determine the security level of the assessment result. The synchronization importance was highlighted with the hope of preventing bias or error accumulation during the simulation process.In summary, from the perspective of control security in IoT’s environment, the paper studied five key technologies for control security in IoT’s environment. The innovative outcomes include:sets up a universal control system security model S-IOTC in IoT’s environment; proposes the data source rejection method based on mutual authentication mechanism; proposes a multi-level detection and early warning model based on the node response time in bandwidth consumption attack; proposes the high-valence voting algorithm for IoT’s control system; and proposes the security guarantee mechanism for complex system based on simulation. Those study outcomes can be used in the solutions of Stuxnet virus, Wenzhou Express Railway Collision Accident and Air France Flight Crash, proving the research has good performance in feasibility. In all, the research outcomes of this paper are highly valued theoretically and practically in both the field of scientific research and industrial engineering.更多还原