Industrial control flow anomaly detection method and system based on convolution time sequence network

A technology of abnormal traffic and time series network, which is applied in the field of network information security, can solve problems such as loss of data information, failure to fully consider the relationship between data before and after, and achieve the effect of rapid defense measures

Pending Publication Date: 2021-04-30
BEIJING UNIV OF TECH
View PDF5 Cites 2 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] The technical problem to be solved by the present invention is to provide a method and system for abnormal detection of industrial control traffic based on a convolutional time series network, which is used to solve the data information lost by using machine learning or deep learning to extract feature learning methods under industrial control systems, and cannot fully Consider the problem of data relationship before and after

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Industrial control flow anomaly detection method and system based on convolution time sequence network
  • Industrial control flow anomaly detection method and system based on convolution time sequence network
  • Industrial control flow anomaly detection method and system based on convolution time sequence network

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0052] Such as figure 1 As shown, Embodiment 1 is a method for abnormal detection of industrial control traffic based on a convolutional time series network, including:

[0053] Step 1, taking the industrial control traffic data packet to be detected as input, and splitting, merging, regularizing and grouping the data packet.

[0054] Step 2: Use the traffic data packets obtained in Step 1 as input to form a data set, use the deep learning model with decoding and encoding to learn the temporal and spatial characteristics of the data set, and predict the data corresponding to the next stage of data based on this Traffic, get the traffic forecasting model.

[0055] Step 3: Use the flow prediction model obtained in step 2 to predict the flow to be detected to obtain the prediction result, and compare the prediction result with the real flow to obtain the distance gap. Calculate the normalized score for the gap information within the group to obtain the distance gap distribution...

Embodiment 2

[0081] The second embodiment is to conduct an experiment on the industrial control data of a simulated oil refinery with S7 as the main industrial control protocol, and use the following precision to evaluate the effect of the model.

[0082] First define the following four sample sets:

[0083] 1) TP: A collection of positive samples in the data set and classified as positive by the model.

[0084] 2) FP: The set of negative samples in the data set but classified as positive by the model.

[0085] 3) TN: A set of negative samples in the data set and classified as negative by the model.

[0086] 4) FN: A collection of positive samples in the data set but classified as negative by the model.

[0087] Based on the above four sample sets, the present invention uses four evaluation indexes commonly used in the field of intrusion detection to evaluate the detection performance of the intrusion detection model in the present invention.

[0088] Model detection performance evaluat...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an industrial control flow anomaly detection method and system based on a convolution time sequence network, and the method comprises the steps: taking industrial control protocol flow as an input, splitting the industrial control protocol flow according to a read-write function, combining, normalizing and grouping split data packets according to a unit time window, and enabling the data packets to be used for a prediction model for learning; forming a data set by taking the flow data as input, and obtaining a flow data prediction model capable of predicting next window data by utilizing the current window data by utilizing a neural network model with a ConvLSTM layer and an encoding and decoding architecture; predicting the flow data packet to be detected by using the obtained prediction model to obtain a distance difference between prediction data and real data; calculating a normalized score of the intra-group difference information to obtain distribution of the window and the score; fusing score distribution of the read-write model by using a weighting mode, and detecting abnormal data traffic by using distribution information. According to the method, a deep learning model for prediction of a decoding and coding structure is adopted, a ConvLSTM module is introduced, and time and space features of industrial control flow are effectively learned.

Description

technical field [0001] The invention belongs to the technical field of network information security, and relates to the technical field of attack detection, in particular to abnormal detection under industrial control systems. Background technique [0002] With the popularization of the industrial Internet, the degree of industrial informatization has been continuously strengthened. More and more node devices in the network are connected to the Internet communication, and the communication data (traffic) with different protocols is used to realize the interaction between multiple devices. With the continuous deepening of this interaction, risks also follow. The more nodes are opened, the lower industrial control system is more and more vulnerable to attacks by attackers; attackers often use pre-order attacks to achieve control of PLC control equipment. As a result, the stop of factory operations or even the damage of equipment will have a huge impact on the enterprise. Ho...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): H04L29/06H04L12/24G06N3/04G06N3/08
CPCH04L63/1425H04L63/20H04L41/142G06N3/084G06N3/044G06N3/045Y02P90/02
Inventor 毛北逢刘静赖英旭
Owner BEIJING UNIV OF TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap