Due to the complexity of industrial control systems and the diversity of protocols in networks, it is difficult to build intrusion detection models based on network characteristics and physical modeling. In order to build a better flow model without additional knowledge, we propose an intrusion detection method based on the content of network packets. The construction of the model is based on the idea of ZOE method. The similarity between flows is calculated through the sequential coverage algorithm, the normal flow model is established by multi-layered clustering algorithm, and the Count-Mean-Min Sketch is used to store and count the flow model. By comparing the unknown flow with the constructed normal flow model, we achieve the intrusion detection of industrial control system (ICS). The overall experimental results on 4 ICS datasets show that the improved method can effectively improve the detection rate and reduce the false-positive rate. The detection rate reached 96.7% on average, and the false-positive rate reached 0.7% on average.

由于工业控制系统的复杂性和网络协议的多样性，很难基于网络特性和物理建模来构建入侵检测模型。为了在没有其他知识的情况下构建更好的流模型，我们提出了一种基于网络数据包内容的入侵检测方法。模型的建立基于ZOE方法的思想。通过顺序覆盖算法计算流之间的相似性，通过多层聚类算法建立正常流模型，并使用Count-Mean-Min Sketch进行流模型的存储和计数。通过将未知流量与构造的正常流量模型进行比较，我们实现了工业控制系统（ICS）的入侵检测。在4个ICS数据集上的整体实验结果表明，改进的方法可以有效地提高检测率并降低假阳性率。检出率平均达到96.7％，假阳性率平均达到0.7％。