Loading...
|
Please use this identifier to cite or link to this item:
https://nccur.lib.nccu.edu.tw/handle/140.119/158786
|
| Title: | 基於時間敏感網路下工業物聯網之零信任架構實作與效能評估
Implementation and Performance Evaluation of Zero Trust Architecture in TSN-enabled IIoT |
| Authors: | 王尚德
Wang, Shang-Te |
| Contributors: | 孫士勝
Sun, Shi-Sheng
王尚德
Wang, Shang-Te |
| Keywords: | 工業物聯網
零信任
OPC UA
時間敏感網路
異常行為偵測
Industrial Internet of Things
Zero Trust
OPC UA
TSN
Anomaly Detect |
| Date: | 2025 |
| Issue Date: | 2025-08-04 15:47:20 (UTC+8) |
| Abstract: | 隨著工業4.0數位自動化管理時代的到來,工業物聯網的應用場景日趨複雜,傳統工業控制系統面臨設備異質性、網路複雜性以及安全威脅等多重挑戰。為因應這些挑戰,本研究提出一個整合OPC UA通訊協定、TSN時間敏感網路技術與零信任安全架構的集中式工業控制網路安全框架。本研究採用IEEE 802.1Qcc全集中式管理架構作為基礎,以OPC UA(Open Platform Communications Unified Architecture)作為核心通訊框架,實現異質性工業通訊協定的統一整合,OPC UA的標準化規範提供了基本的安全機制,在強化通訊安全性的同時,保持工業控制系統原有的高可用性特性,確保生產系統的持續運作。為滿足不同工業控制系統對即時性的嚴格要求,本研究導入時間敏感網路(Time-Sensitive Networking,TSN)技術,為不同優先級的網路流量提供精準的時間同步機制和穩定的傳輸保證。透過差異化的服務品質管理,確保關鍵控制資料能夠在預定時間內可靠傳遞,滿足工業自動化系統的即時性需求。在安全防護方面,本研究整合零信任安全模型,建立包含SKS設備身份驗證、Isolation Forest異常檢測模型與VLAN微分段的三重安全機制。透過持續的行為監控與動態設備驗證,系統能夠在不影響生產效率的前提下,有效識別並防範潛在的安全威脅。實驗結果顯示,在高達1000Mbps的網路負載以及80%CPU負載的高壓力環境下,系統仍能維持穩定的傳輸性能;透過UNSW-NB15資料集對異常檢測模型進行測試,Isolation Forest相較於One-Class SVM展現出更優異的檢測性能。本研究所提出的整合性架構不僅可解決工業物聯網面臨的異質性整合、即時性保證和安全性提升等關鍵問題,更為工業控制系統的現代化提供了可行的技術架構,對實踐工業4.0的具有重要的參考價值。
With the rapid advancement of Industry 4.0, Industrial Internet of Things (IIoT) applications encounter increasing complexity. Traditional industrial control systems face significant challenges through device heterogeneity, network complexity, and security vulnerabilities. This research proposes an IEEE 802.1Qcc centralized architecture that utilizes OPC UA as the core communication framework. The proposed architecture integrates heterogeneous industrial protocols effectively, and the built-in security mechanisms of OPC UA enhance communication security while maintaining high availability for continuous production operations. Time Sensitive Networking (TSN) technology provides precise time synchronization and deterministic transmission for different priority industrial protocols. This ensures the delivery of critical control data within predetermined timeframes. Through the implementation of a zero trust security model, continuous behavioral monitoring and device authentication are achieved. This integrated architecture effectively addresses key IIoT challenges including heterogeneous protocol integration, real time communication guarantees, and security enhancement. The proposed framework provides a practical technical solution for industrial control system modernization and serves as a valuable reference for Industry 4.0 implementation. |
| Reference: | [1] Information technology —Open Distributed Processing —Reference model: Overview, International Organization for Standardization Standard ISO/IEC 10 746- 1:1998, 1998.
[2] Security for Industrial Automation and Control Systems: Concepts, Terminology and Models, International Society of Automation Standard ANSI/ISA-99.00.01-2007, 2007.
[3] OPC Unified Architecture —Part 1: Overview and concepts, International Elec- trotechnical Commission Standard IEC 62 541-1:2020, 2020.
[4] “IEEE standard for local and metropolitan area networks – bridges and bridged net- works - amendment 25: Enhancements for scheduled traffic,” IEEE Std 802.1Qbv- 2015 (Amendment to IEEE Std 802.1Q-2014 as amended by IEEE Std 802.1Qca-2015, IEEE Std 802.1Qcd-2015, and IEEE Std 802.1Q-2014/Cor 1-2015), pp. 1–57, 2016.
[5] “IEEE standard for local and metropolitan area networks – bridges and bridged net- works – amendment 26: Frame preemption,” IEEE Std 802.1Qbu-2016 (Amendment to IEEE Std 802.1Q-2014), pp. 1–52, 2016.
[6] “IEEE standard for local and metropolitan area networks–frame replication and elim- ination for reliability,” IEEE Std 802.1CB-2017, pp. 1–102, 2017.
[7] “IEEE standard for local and metropolitan area networks–bridges and bridged net- works – amendment 31: Stream reservation protocol (srp) enhancements and perfor- mance improvements,” IEEE Std 802.1Qcc-2018 (Amendment to IEEE Std 802.1Q- 2018 as amended by IEEE Std 802.1Qcp-2018), pp. 1–208, 2018.
[8] M. Graube, S. Hensel, C. Iatrou, and L. Urbas, “Information models in opc ua and their advantages and disadvantages,” in 2017 22nd IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), 2017, pp. 1–8.
[9] N. Mühlbauer, E. Kirdan, M.-O. Pahl, and G. Carle, “Open-source opc ua security and scalability,” in 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), vol. 1, 2020, pp. 262–269.
[10] G. Martinov, A. Al Khoury, and A. Issa, “Development and use of opc ua tools for data collection and monitoring of technological equipment,” in 2023 International Russian Smart Industry Conference (SmartIndustryCon), 2023, pp. 346–351.
[11] Y. Li, J. Jiang, C. Lee, and S. H. Hong, “Practical implementation of an opc ua tsn communication architecture for a manufacturing system,” IEEE Access, vol. 8, pp. 200 100–200 111, 2020.
[12] Ömer Aslan and R. Samet, “A comprehensive review on malware detection ap- proaches,” IEEE Access, vol. 8, pp. 6249–6271, 2020.
[13] A. Garg and P. Maheshwari, “Performance analysis of snort-based intrusion detection system,” in 2016 3rd International Conference on Advanced Computing and Commu- nication Systems (ICACCS), vol. 01, 2016, pp. 1–5.
[14] M. Bagaa, T. Taleb, J. B. Bernabe, and A. Skarmeta, “A machine learning security framework for iot systems,” IEEE Access, vol. 8, pp. 114 066–114 077, 2020.
[15] M. Ali, M. Shahroz, M. F. Mushtaq, S. Alfarhood, M. Safran, and I. Ashraf, “Hybrid machine learning model for efficient botnet attack detection in iot environment,” IEEE Access, vol. 12, pp. 40 682–40 699, 2024.
[16] S. A. Abdulkareem, C. Heng Foh, M. Shojafar, F. Carrez, and K. Moessner, “Network intrusion detection: An iot and non iot-related survey,” IEEE Access, vol. 12, pp. 147 167–147 191, 2024.
[17] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation forest,” in 2008 Eighth IEEE Inter- national Conference on Data Mining, 2008, pp. 413–422.
[18] K.-L. Li, H.-K. Huang, S.-F. Tian, and W. Xu, “Improving one-class svm for anomaly detection,” in Proceedings of the 2003 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.03EX693), vol. 5, 2003, pp. 3077–3081 Vol.5.
[19] N. Moustafa and J. Slay, “Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set),” in 2015 Military Communications and Information Systems Conference (MilCIS), 2015, pp. 1–6. |
| Description: | 碩士
國立政治大學
資訊安全碩士學位學程
112791013 |
| Source URI: | http://thesis.lib.nccu.edu.tw/record/#G0112791013 |
| Data Type: | thesis |
| Appears in Collections: | [資訊安全碩士學位學程] 學位論文
|
Files in This Item:
| File |
Description |
Size | Format | |
|---|
| 101301.pdf | | 9539Kb | Adobe PDF | 0 | View/Open |
|
All items in 政大典藏 are protected by copyright, with all rights reserved.
|
