Publications-Theses
Article View/Open
Publication Export
-
Google ScholarTM
NCCU Library
Citation Infomation
Related Publications in TAIR
題名 基於時間敏感網路下工業物聯網之零信任架構實作與效能評估
Implementation and Performance Evaluation of Zero Trust Architecture in TSN-enabled IIoT作者 王尚德
Wang, Shang-Te貢獻者 孫士勝
Sun, Shi-Sheng
王尚德
Wang, Shang-Te關鍵詞 工業物聯網
零信任
OPC UA
時間敏感網路
異常行為偵測
Industrial Internet of Things
Zero Trust
OPC UA
TSN
Anomaly Detect日期 2025 上傳時間 4-Aug-2025 15:47:20 (UTC+8) 摘要 隨著工業4.0數位自動化管理時代的到來,工業物聯網的應用場景日趨複雜,傳統工業控制系統面臨設備異質性、網路複雜性以及安全威脅等多重挑戰。為因應這些挑戰,本研究提出一個整合OPC UA通訊協定、TSN時間敏感網路技術與零信任安全架構的集中式工業控制網路安全框架。本研究採用IEEE 802.1Qcc全集中式管理架構作為基礎,以OPC UA(Open Platform Communications Unified Architecture)作為核心通訊框架,實現異質性工業通訊協定的統一整合,OPC UA的標準化規範提供了基本的安全機制,在強化通訊安全性的同時,保持工業控制系統原有的高可用性特性,確保生產系統的持續運作。為滿足不同工業控制系統對即時性的嚴格要求,本研究導入時間敏感網路(Time-Sensitive Networking,TSN)技術,為不同優先級的網路流量提供精準的時間同步機制和穩定的傳輸保證。透過差異化的服務品質管理,確保關鍵控制資料能夠在預定時間內可靠傳遞,滿足工業自動化系統的即時性需求。在安全防護方面,本研究整合零信任安全模型,建立包含SKS設備身份驗證、Isolation Forest異常檢測模型與VLAN微分段的三重安全機制。透過持續的行為監控與動態設備驗證,系統能夠在不影響生產效率的前提下,有效識別並防範潛在的安全威脅。實驗結果顯示,在高達1000Mbps的網路負載以及80%CPU負載的高壓力環境下,系統仍能維持穩定的傳輸性能;透過UNSW-NB15資料集對異常檢測模型進行測試,Isolation Forest相較於One-Class SVM展現出更優異的檢測性能。本研究所提出的整合性架構不僅可解決工業物聯網面臨的異質性整合、即時性保證和安全性提升等關鍵問題,更為工業控制系統的現代化提供了可行的技術架構,對實踐工業4.0的具有重要的參考價值。
With the rapid advancement of Industry 4.0, Industrial Internet of Things (IIoT) applications encounter increasing complexity. Traditional industrial control systems face significant challenges through device heterogeneity, network complexity, and security vulnerabilities. This research proposes an IEEE 802.1Qcc centralized architecture that utilizes OPC UA as the core communication framework. The proposed architecture integrates heterogeneous industrial protocols effectively, and the built-in security mechanisms of OPC UA enhance communication security while maintaining high availability for continuous production operations. Time Sensitive Networking (TSN) technology provides precise time synchronization and deterministic transmission for different priority industrial protocols. This ensures the delivery of critical control data within predetermined timeframes. Through the implementation of a zero trust security model, continuous behavioral monitoring and device authentication are achieved. This integrated architecture effectively addresses key IIoT challenges including heterogeneous protocol integration, real time communication guarantees, and security enhancement. The proposed framework provides a practical technical solution for industrial control system modernization and serves as a valuable reference for Industry 4.0 implementation.參考文獻 [1] Information technology —Open Distributed Processing —Reference model: Overview, International Organization for Standardization Standard ISO/IEC 10 746- 1:1998, 1998. [2] Security for Industrial Automation and Control Systems: Concepts, Terminology and Models, International Society of Automation Standard ANSI/ISA-99.00.01-2007, 2007. [3] OPC Unified Architecture —Part 1: Overview and concepts, International Elec- trotechnical Commission Standard IEC 62 541-1:2020, 2020. [4] “IEEE standard for local and metropolitan area networks – bridges and bridged net- works - amendment 25: Enhancements for scheduled traffic,” IEEE Std 802.1Qbv- 2015 (Amendment to IEEE Std 802.1Q-2014 as amended by IEEE Std 802.1Qca-2015, IEEE Std 802.1Qcd-2015, and IEEE Std 802.1Q-2014/Cor 1-2015), pp. 1–57, 2016. [5] “IEEE standard for local and metropolitan area networks – bridges and bridged net- works – amendment 26: Frame preemption,” IEEE Std 802.1Qbu-2016 (Amendment to IEEE Std 802.1Q-2014), pp. 1–52, 2016. [6] “IEEE standard for local and metropolitan area networks–frame replication and elim- ination for reliability,” IEEE Std 802.1CB-2017, pp. 1–102, 2017. [7] “IEEE standard for local and metropolitan area networks–bridges and bridged net- works – amendment 31: Stream reservation protocol (srp) enhancements and perfor- mance improvements,” IEEE Std 802.1Qcc-2018 (Amendment to IEEE Std 802.1Q- 2018 as amended by IEEE Std 802.1Qcp-2018), pp. 1–208, 2018. [8] M. Graube, S. Hensel, C. Iatrou, and L. Urbas, “Information models in opc ua and their advantages and disadvantages,” in 2017 22nd IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), 2017, pp. 1–8. [9] N. Mühlbauer, E. Kirdan, M.-O. Pahl, and G. Carle, “Open-source opc ua security and scalability,” in 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), vol. 1, 2020, pp. 262–269. [10] G. Martinov, A. Al Khoury, and A. Issa, “Development and use of opc ua tools for data collection and monitoring of technological equipment,” in 2023 International Russian Smart Industry Conference (SmartIndustryCon), 2023, pp. 346–351. [11] Y. Li, J. Jiang, C. Lee, and S. H. Hong, “Practical implementation of an opc ua tsn communication architecture for a manufacturing system,” IEEE Access, vol. 8, pp. 200 100–200 111, 2020. [12] Ömer Aslan and R. Samet, “A comprehensive review on malware detection ap- proaches,” IEEE Access, vol. 8, pp. 6249–6271, 2020. [13] A. Garg and P. Maheshwari, “Performance analysis of snort-based intrusion detection system,” in 2016 3rd International Conference on Advanced Computing and Commu- nication Systems (ICACCS), vol. 01, 2016, pp. 1–5. [14] M. Bagaa, T. Taleb, J. B. Bernabe, and A. Skarmeta, “A machine learning security framework for iot systems,” IEEE Access, vol. 8, pp. 114 066–114 077, 2020. [15] M. Ali, M. Shahroz, M. F. Mushtaq, S. Alfarhood, M. Safran, and I. Ashraf, “Hybrid machine learning model for efficient botnet attack detection in iot environment,” IEEE Access, vol. 12, pp. 40 682–40 699, 2024. [16] S. A. Abdulkareem, C. Heng Foh, M. Shojafar, F. Carrez, and K. Moessner, “Network intrusion detection: An iot and non iot-related survey,” IEEE Access, vol. 12, pp. 147 167–147 191, 2024. [17] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation forest,” in 2008 Eighth IEEE Inter- national Conference on Data Mining, 2008, pp. 413–422. [18] K.-L. Li, H.-K. Huang, S.-F. Tian, and W. Xu, “Improving one-class svm for anomaly detection,” in Proceedings of the 2003 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.03EX693), vol. 5, 2003, pp. 3077–3081 Vol.5. [19] N. Moustafa and J. Slay, “Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set),” in 2015 Military Communications and Information Systems Conference (MilCIS), 2015, pp. 1–6. 描述 碩士
國立政治大學
資訊安全碩士學位學程
112791013資料來源 http://thesis.lib.nccu.edu.tw/record/#G0112791013 資料類型 thesis dc.contributor.advisor 孫士勝 zh_TW dc.contributor.advisor Sun, Shi-Sheng en_US dc.contributor.author (Authors) 王尚德 zh_TW dc.contributor.author (Authors) Wang, Shang-Te en_US dc.creator (作者) 王尚德 zh_TW dc.creator (作者) Wang, Shang-Te en_US dc.date (日期) 2025 en_US dc.date.accessioned 4-Aug-2025 15:47:20 (UTC+8) - dc.date.available 4-Aug-2025 15:47:20 (UTC+8) - dc.date.issued (上傳時間) 4-Aug-2025 15:47:20 (UTC+8) - dc.identifier (Other Identifiers) G0112791013 en_US dc.identifier.uri (URI) https://nccur.lib.nccu.edu.tw/handle/140.119/158786 - dc.description (描述) 碩士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊安全碩士學位學程 zh_TW dc.description (描述) 112791013 zh_TW dc.description.abstract (摘要) 隨著工業4.0數位自動化管理時代的到來,工業物聯網的應用場景日趨複雜,傳統工業控制系統面臨設備異質性、網路複雜性以及安全威脅等多重挑戰。為因應這些挑戰,本研究提出一個整合OPC UA通訊協定、TSN時間敏感網路技術與零信任安全架構的集中式工業控制網路安全框架。本研究採用IEEE 802.1Qcc全集中式管理架構作為基礎,以OPC UA(Open Platform Communications Unified Architecture)作為核心通訊框架,實現異質性工業通訊協定的統一整合,OPC UA的標準化規範提供了基本的安全機制,在強化通訊安全性的同時,保持工業控制系統原有的高可用性特性,確保生產系統的持續運作。為滿足不同工業控制系統對即時性的嚴格要求,本研究導入時間敏感網路(Time-Sensitive Networking,TSN)技術,為不同優先級的網路流量提供精準的時間同步機制和穩定的傳輸保證。透過差異化的服務品質管理,確保關鍵控制資料能夠在預定時間內可靠傳遞,滿足工業自動化系統的即時性需求。在安全防護方面,本研究整合零信任安全模型,建立包含SKS設備身份驗證、Isolation Forest異常檢測模型與VLAN微分段的三重安全機制。透過持續的行為監控與動態設備驗證,系統能夠在不影響生產效率的前提下,有效識別並防範潛在的安全威脅。實驗結果顯示,在高達1000Mbps的網路負載以及80%CPU負載的高壓力環境下,系統仍能維持穩定的傳輸性能;透過UNSW-NB15資料集對異常檢測模型進行測試,Isolation Forest相較於One-Class SVM展現出更優異的檢測性能。本研究所提出的整合性架構不僅可解決工業物聯網面臨的異質性整合、即時性保證和安全性提升等關鍵問題,更為工業控制系統的現代化提供了可行的技術架構,對實踐工業4.0的具有重要的參考價值。 zh_TW dc.description.abstract (摘要) With the rapid advancement of Industry 4.0, Industrial Internet of Things (IIoT) applications encounter increasing complexity. Traditional industrial control systems face significant challenges through device heterogeneity, network complexity, and security vulnerabilities. This research proposes an IEEE 802.1Qcc centralized architecture that utilizes OPC UA as the core communication framework. The proposed architecture integrates heterogeneous industrial protocols effectively, and the built-in security mechanisms of OPC UA enhance communication security while maintaining high availability for continuous production operations. Time Sensitive Networking (TSN) technology provides precise time synchronization and deterministic transmission for different priority industrial protocols. This ensures the delivery of critical control data within predetermined timeframes. Through the implementation of a zero trust security model, continuous behavioral monitoring and device authentication are achieved. This integrated architecture effectively addresses key IIoT challenges including heterogeneous protocol integration, real time communication guarantees, and security enhancement. The proposed framework provides a practical technical solution for industrial control system modernization and serves as a valuable reference for Industry 4.0 implementation. en_US dc.description.tableofcontents 致謝 i 摘要 iii Abstract v Contents vi ListofFigures ix ListofTables xi 第1章 前言 1 1.1 研究動機 1 1.2 研究目標 2 1.3 章節架構說明 3 第2章 研究背景與相關文獻 5 2.1 研究背景 5 2.1.1 工業控制系統網路架構演進與管理模型發展 5 2.1.2 OPC UA 8 2.1.3 TSN 12 2.1.4 ZTA 19 2.2 文獻探討 22 第3章 系統模型與架構 25 3.1 系統環境 25 3.2 集中式零信任架構核心機制 29 3.2.1 設備身份驗證機制 29 3.2.2 持續行為驗證機制 32 3.2.3 服務微分段機制 34 3.3 集中式資料傳輸機制 35 3.3.1 OPC UA 協定轉換 35 3.3.2 TSN 優先權分類和服務品質定義 36 3.3.3 多路徑確保傳輸可靠性 36 第4章 實驗設計與實驗結果 39 4.1 TSN 實驗零信任架構 39 4.2 TSN 高負載抗干擾效能測試 40 4.2.1 實驗目的與設計 40 4.2.2 實驗環境概述 40 4.2.3 實驗結果與分析 42 4.3 異常檢測模型效能評估 49 4.3.1 實驗背景與動機 49 4.3.2 模型選擇與訓練方法 49 4.3.3 實驗結果分析 50 第5章 結論及未來展望 53 5.1 結論 53 5.2 未來展望 54 Reference 55 zh_TW dc.format.extent 9768166 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0112791013 en_US dc.subject (關鍵詞) 工業物聯網 zh_TW dc.subject (關鍵詞) 零信任 zh_TW dc.subject (關鍵詞) OPC UA zh_TW dc.subject (關鍵詞) 時間敏感網路 zh_TW dc.subject (關鍵詞) 異常行為偵測 zh_TW dc.subject (關鍵詞) Industrial Internet of Things en_US dc.subject (關鍵詞) Zero Trust en_US dc.subject (關鍵詞) OPC UA en_US dc.subject (關鍵詞) TSN en_US dc.subject (關鍵詞) Anomaly Detect en_US dc.title (題名) 基於時間敏感網路下工業物聯網之零信任架構實作與效能評估 zh_TW dc.title (題名) Implementation and Performance Evaluation of Zero Trust Architecture in TSN-enabled IIoT en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] Information technology —Open Distributed Processing —Reference model: Overview, International Organization for Standardization Standard ISO/IEC 10 746- 1:1998, 1998. [2] Security for Industrial Automation and Control Systems: Concepts, Terminology and Models, International Society of Automation Standard ANSI/ISA-99.00.01-2007, 2007. [3] OPC Unified Architecture —Part 1: Overview and concepts, International Elec- trotechnical Commission Standard IEC 62 541-1:2020, 2020. [4] “IEEE standard for local and metropolitan area networks – bridges and bridged net- works - amendment 25: Enhancements for scheduled traffic,” IEEE Std 802.1Qbv- 2015 (Amendment to IEEE Std 802.1Q-2014 as amended by IEEE Std 802.1Qca-2015, IEEE Std 802.1Qcd-2015, and IEEE Std 802.1Q-2014/Cor 1-2015), pp. 1–57, 2016. [5] “IEEE standard for local and metropolitan area networks – bridges and bridged net- works – amendment 26: Frame preemption,” IEEE Std 802.1Qbu-2016 (Amendment to IEEE Std 802.1Q-2014), pp. 1–52, 2016. [6] “IEEE standard for local and metropolitan area networks–frame replication and elim- ination for reliability,” IEEE Std 802.1CB-2017, pp. 1–102, 2017. [7] “IEEE standard for local and metropolitan area networks–bridges and bridged net- works – amendment 31: Stream reservation protocol (srp) enhancements and perfor- mance improvements,” IEEE Std 802.1Qcc-2018 (Amendment to IEEE Std 802.1Q- 2018 as amended by IEEE Std 802.1Qcp-2018), pp. 1–208, 2018. [8] M. Graube, S. Hensel, C. Iatrou, and L. Urbas, “Information models in opc ua and their advantages and disadvantages,” in 2017 22nd IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), 2017, pp. 1–8. [9] N. Mühlbauer, E. Kirdan, M.-O. Pahl, and G. Carle, “Open-source opc ua security and scalability,” in 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), vol. 1, 2020, pp. 262–269. [10] G. Martinov, A. Al Khoury, and A. Issa, “Development and use of opc ua tools for data collection and monitoring of technological equipment,” in 2023 International Russian Smart Industry Conference (SmartIndustryCon), 2023, pp. 346–351. [11] Y. Li, J. Jiang, C. Lee, and S. H. Hong, “Practical implementation of an opc ua tsn communication architecture for a manufacturing system,” IEEE Access, vol. 8, pp. 200 100–200 111, 2020. [12] Ömer Aslan and R. Samet, “A comprehensive review on malware detection ap- proaches,” IEEE Access, vol. 8, pp. 6249–6271, 2020. [13] A. Garg and P. Maheshwari, “Performance analysis of snort-based intrusion detection system,” in 2016 3rd International Conference on Advanced Computing and Commu- nication Systems (ICACCS), vol. 01, 2016, pp. 1–5. [14] M. Bagaa, T. Taleb, J. B. Bernabe, and A. Skarmeta, “A machine learning security framework for iot systems,” IEEE Access, vol. 8, pp. 114 066–114 077, 2020. [15] M. Ali, M. Shahroz, M. F. Mushtaq, S. Alfarhood, M. Safran, and I. Ashraf, “Hybrid machine learning model for efficient botnet attack detection in iot environment,” IEEE Access, vol. 12, pp. 40 682–40 699, 2024. [16] S. A. Abdulkareem, C. Heng Foh, M. Shojafar, F. Carrez, and K. Moessner, “Network intrusion detection: An iot and non iot-related survey,” IEEE Access, vol. 12, pp. 147 167–147 191, 2024. [17] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation forest,” in 2008 Eighth IEEE Inter- national Conference on Data Mining, 2008, pp. 413–422. [18] K.-L. Li, H.-K. Huang, S.-F. Tian, and W. Xu, “Improving one-class svm for anomaly detection,” in Proceedings of the 2003 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.03EX693), vol. 5, 2003, pp. 3077–3081 Vol.5. [19] N. Moustafa and J. Slay, “Unsw-nb15: a comprehensive data set for network intrusion detection systems (unsw-nb15 network data set),” in 2015 Military Communications and Information Systems Conference (MilCIS), 2015, pp. 1–6. zh_TW
