CN112491860A - Industrial control network-oriented collaborative intrusion detection method - Google Patents
Industrial control network-oriented collaborative intrusion detection method Download PDFInfo
- Publication number
- CN112491860A CN112491860A CN202011313226.9A CN202011313226A CN112491860A CN 112491860 A CN112491860 A CN 112491860A CN 202011313226 A CN202011313226 A CN 202011313226A CN 112491860 A CN112491860 A CN 112491860A
- Authority
- CN
- China
- Prior art keywords
- data
- industrial control
- control network
- intrusion detection
- industrial
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 49
- 238000000034 method Methods 0.000 claims abstract description 24
- 238000007781 pre-processing Methods 0.000 claims abstract description 6
- 238000005065 mining Methods 0.000 claims abstract description 5
- 238000010801 machine learning Methods 0.000 claims abstract description 4
- 238000003058 natural language processing Methods 0.000 claims abstract description 4
- 230000006399 behavior Effects 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 13
- 230000006870 function Effects 0.000 claims description 5
- 238000007726 management method Methods 0.000 claims description 4
- 238000004891 communication Methods 0.000 claims description 3
- 238000012550 audit Methods 0.000 claims description 2
- 238000009776 industrial production Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000004519 manufacturing process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 241000700605 Viruses Species 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000006403 short-term memory Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24553—Query execution of query operations
- G06F16/24558—Binary matching operations
- G06F16/2456—Join operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2458—Special types of queries, e.g. statistical queries, fuzzy queries or distributed queries
- G06F16/2465—Query processing support for facilitating data mining operations in structured databases
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Probability & Statistics with Applications (AREA)
- Mathematical Physics (AREA)
- Fuzzy Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a collaborative intrusion detection method facing an industrial control network, which comprises the steps of firstly, acquiring multidimensional data in the industrial control network in real time, wherein the multidimensional data comprises enterprise user data, industrial equipment data and industrial control network flow data; carrying out data preprocessing on the acquired multidimensional data, removing data noise, and constructing semi-structured data; based on the semi-structured data, extracting user characteristics, equipment characteristics and flow characteristics by adopting methods of machine learning and natural language processing; extracting information and mining incidence relation of the extracted three types of characteristics to construct a cooperative characteristic system for industrial control network intrusion detection; on the basis of the constructed cooperative characteristic system, factors influencing the safety of the industrial control network are inferred and classified, and the purpose of cooperative intrusion detection is achieved. The method realizes multi-layer and multi-dimensional intrusion detection in the industrial control network, thereby improving the safety of the industrial control network.
Description
Technical Field
The invention relates to the technical field of industrial control network security, in particular to a collaborative intrusion detection method for an industrial control network.
Background
At present, the industrial control network and the industrial production are deeply fused to enable industrial production activities to present the characteristics of digitalization, intellectualization and networking, and a part of production links of the industrial production are communicated with an external network, so that serious safety events can be caused and caused while the efficiency is improved. The industrial control network breaks through the relatively closed and credible manufacturing environment of the traditional industry, so that the threats of network attacks such as viruses, trojans, high-level persistent threats and the like to industrial production are increasingly intensified, once industrial infrastructures related to the national civilians are attacked by the network, huge economic losses can be caused, and wide social influences can be caused.
The intrusion detection technology is an important means for protecting the safety of the industrial control network, malicious behaviors in the industrial control network can be identified, the current data-driven intrusion detection technology is a current mainstream means, however, the industrial control network has large data volume, multi-source isomerism and strong dynamic property, and novel attack forms such as advanced persistent threat and 0-day vulnerability are difficult to detect.
Disclosure of Invention
The invention aims to provide a collaborative intrusion detection method for an industrial control network, which realizes multi-layer and multi-dimensional intrusion detection in the industrial control network, thereby improving the safety of the industrial control network.
The purpose of the invention is realized by the following technical scheme:
a cooperative intrusion detection method facing an industrial control network, the method comprises the following steps:
and 5, reasoning and classifying factors influencing the safety of the industrial control network on the basis of the constructed cooperative characteristic system to achieve the purpose of cooperative intrusion detection.
The technical scheme provided by the invention can show that the method realizes multi-layer and multi-dimensional intrusion detection in the industrial control network, thereby improving the safety of the industrial control network.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a cooperative intrusion detection method for an industrial control network according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the present invention will be further described in detail with reference to the accompanying drawings, and as shown in fig. 1, a schematic flow chart of a cooperative intrusion detection method for an industrial control network according to the embodiment of the present invention is provided, where the method includes:
in this step, the enterprise user data includes personnel basic information data and network behavior data; the industrial equipment data comprises logs and configuration data of industrial controllers, numerical control machines, industrial robots and industrial upper computer equipment based on an industrial control network; the industrial control network flow data comprises control flow, inter-domain flow and bus flow data existing in different areas of the industrial control network.
In a specific implementation, the collection process of the enterprise user data specifically includes:
collecting personnel basic information data through an enterprise management platform; network behavior data is collected through switch port mirroring.
The data acquisition process of the industrial equipment specifically comprises the following steps:
collecting the log information of the industrial controller through a USB interface and an upper computer; collecting log data of the numerical control machine tool based on standard communication interfaces including an OPC interface, a DNC interface, an RS-232 serial port and the like; collecting logs of the industrial robot through a specific operation log sharing port; and acquiring the running log of the industrial upper computer equipment of the control host in an active acquisition mode. Specifically, the command can be executed and the file can be read to obtain the configuration data of the target network device through a command line TELNET/SSH/SMB protocol and the like; adopting AGENTLESS scanning technology to collect the mainframe configuration data of Windows, Linux and Unix major versions; and acquiring application configuration data in a USB manual import mode.
The process for acquiring the industrial control network flow data specifically comprises the following steps:
and acquiring control flow, inter-domain flow and bus flow data in the industrial control network in a port mirroring mode. Specifically, through various switching devices in the industrial control network, the traffic data is copied based on the mirror image port, and functions of batch packet receiving, layered decoding, protocol analysis and the like are realized. And the system provides deep protocol analysis capability, and can analyze network application protocols and industrial protocols, wherein the traditional network protocols comprise HTTP, FTP, SMTP and the like, and the industrial protocols comprise intelligent manufacturing industry communication protocols such as Modbus, S7, Ethernet IP and the like.
in the step, the acquired multidimensional data is subjected to data preprocessing by methods of filling in vacancy values, identifying and deleting outliers and deleting repeated values to form semi-structured intrusion detection data, so that the data is effective and available, and user characteristics, equipment characteristics and flow characteristics are conveniently extracted.
in this step, the user characteristics include two parts, namely basic characteristics and behavior characteristics, wherein:
the basic characteristics refer to the access control role and the access control authority of a user in the industrial control network; the behavior characteristics refer to the e-mail behaviors of the user in the industrial control network, including whether the e-mail is a phishing mail or not, whether the e-mail contains illegal links or attachments or not;
the device features include multidimensional features extracted from industrial control network device configuration information and log information, wherein:
the equipment configuration information comprises equipment manufacturer, version, model, whether unnecessary services and ports with potential safety hazards are started, whether passwords need to be input during login, whether related strategies are set, only authorized IP addresses are allowed to adopt TELNET and SSH protocol remote login management, whether SNMP services are started, whether weak passwords exist, whether a system self-contained log audit function is started, whether a Syslog server is designated, and whether safety strategies are started; the log information comprises relevant characteristics mined from the equipment running log, including running time and equipment state characteristics;
the flow characteristics comprise four types of connection basic characteristics, connection content characteristics, flow statistical characteristics based on time and flow statistical characteristics based on a host, wherein:
the connection basic characteristics comprise connection duration, protocol type, connection state, network service type of the target host, and byte number characteristics of data from the source host to the target host; the connection content characteristics comprise the number of times of accessing system sensitive files and directories, the number of times of failed login attempts, whether a login state is successful or not, whether super user authority is obtained or not and the number of times of root user access; the time-based traffic statistic characteristics comprise the number of connections which have the same target equipment or the same service as the current connection within a certain time window and the percentage characteristics of the error connections existing in the connections; the host-based traffic statistics include the number of connections having the same target device or the same service as the current connection within a certain connection number pane, and the percentage of faulty connections present therein.
in the step, specifically, semantic information of the extracted user characteristics, equipment characteristics and flow characteristics is mined according to the context semantic environment by combining the asset equipment information of the industrial control network, and key effective characteristics are extracted;
and extracting an incidence relation among the features based on the key effective features, and associating the multidimensional features to form a collaborative feature system for industrial control network intrusion detection.
In the specific implementation, an industrial control network asset device may be used as a core, an association relationship between devices is defined based on traffic characteristics, the association relationship between users and devices is established based on user access control roles and access control authority characteristics, and finally a collaborative characteristic system in which devices are used as the core, and devices and users and devices are associated with each other is formed, so as to provide a characteristic system and a data basis for intrusion detection of an industrial control network.
And 5, reasoning and classifying factors influencing the safety of the industrial control network on the basis of the constructed cooperative characteristic system to achieve the purpose of cooperative intrusion detection.
In the step, on the basis of the constructed cooperative characteristic system, a Long Short Term Memory (LSTM) algorithm is adopted to train a model for intrusion detection, model parameters are determined, and the model is adjusted at regular time according to data acquired in real time to obtain a trained intrusion detection model; in addition, according to different service scenes, different intrusion detection models can be constructed to adapt to intrusion detection requirements of different levels;
and inputting the data of the industrial control network characteristic system detected in real time into the trained intrusion detection model to realize intrusion detection of the industrial control network and give an alarm for intrusion behavior.
In the specific implementation, firstly, an LSTM algorithm is adopted to train an intrusion detection model based on existing data, the core idea of the LSTM algorithm is to simulate the change process of a cell state, the algorithm simulates the capability of removing or adding information to the cell state through a gate structure, data is calculated through a forgetting gate, an input gate and an output gate, and an algorithm result is finally obtained. Firstly, data passes through a forgetting gate, the forgetting gate processes the reservation or the abandonment of information through a Sigmoid unit, and the formula is shown as (1):
ft=σ(Wf·[ht-1,xt]+bf) (1)
where σ denotes Sigmoid function, ht-1Represents the output of the last cell, xtRepresenting the input of the current cell, W is a weight parameter, and b is an adjusting coefficient;
the next operation is then to decide which new information to add to the cell state, including deciding which information to update by input gates, and calculating and updating new candidate cell information, as shown in the following formula:
it=σ(Wi·[ht-1,xt]+bi) (2)
formula (2) shows that which information needs to be updated is determined by a Sigmoid layer; formula (3) represents that the alternative update content is calculated through one tanh layer; equation (4) shows that combining the two updates the cell state;
finally, the final output is obtained through an operation called output gate, which includes determining an output portion and a final output portion, and the specific formula is as follows:
ot=σ(Wo·[ht-1,xt]+bo) (5)
ht=ot×tanh(Ct) (6)
and determining which part of the cell state is to be output through the Sigmoid layer of the formula (5), processing the cell state through the tanh layer through the formula (6), and multiplying the processed cell state by the output of the formula (5) to obtain a final output, wherein the final output is a classification result of intrusion detection.
It is noted that those skilled in the art will recognize that embodiments of the present invention are not described in detail herein.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (8)
1. A cooperative intrusion detection method facing an industrial control network is characterized in that the method comprises the following steps:
step 1, collecting multidimensional data in an industrial control network in real time, wherein the multidimensional data comprises enterprise user data, industrial equipment data and industrial control network flow data;
step 2, carrying out data preprocessing on the acquired multidimensional data, removing data noise, and constructing semi-structured data;
step 3, extracting user characteristics, equipment characteristics and flow characteristics by adopting a machine learning and natural language processing method based on the semi-structured data;
step 4, extracting information and mining incidence relation of the extracted three types of features, and constructing a collaborative feature system for industrial control network intrusion detection;
and 5, reasoning and classifying factors influencing the safety of the industrial control network on the basis of the constructed cooperative characteristic system to achieve the purpose of cooperative intrusion detection.
2. The cooperative intrusion detection method for industrial control networks according to claim 1, wherein in step 1, the enterprise user data includes personnel basic information data, network behavior data;
the industrial equipment data comprises logs and configuration data of industrial controllers, numerical control machines, industrial robots and industrial upper computer equipment based on an industrial control network;
the industrial control network flow data comprises control flow, inter-domain flow and bus flow data existing in different areas of the industrial control network.
3. The cooperative intrusion detection method for industrial control networks according to claim 1 or 2, wherein in step 1, the collection process of the enterprise user data is specifically:
collecting personnel basic information data through an enterprise management platform; network behavior data are collected through a port mirror image of a switch;
the data acquisition process of the industrial equipment specifically comprises the following steps:
collecting the log information of the industrial controller through a USB interface and an upper computer; collecting log data of the numerical control machine tool based on a standard communication interface; collecting logs of the industrial robot through a specific operation log sharing port; acquiring an operation log of industrial upper computer equipment of a control host in an active acquisition mode;
the process for acquiring the industrial control network flow data specifically comprises the following steps:
and acquiring control flow, inter-domain flow and bus flow data in the industrial control network in a port mirroring mode.
4. The cooperative intrusion detection method for industrial control networks according to claim 1, wherein the process of step 2 is specifically:
and carrying out data preprocessing on the acquired multidimensional data by adopting methods of filling in vacancy values, identifying and deleting outliers and deleting repeated values to form semi-structured intrusion detection data.
5. The cooperative intrusion detection method for industrial control networks according to claim 1, wherein in step 3, the user characteristics include two parts of basic characteristics and behavior characteristics, wherein:
the basic characteristics refer to the access control role and the access control authority of a user in the industrial control network; the behavior characteristics refer to the e-mail behaviors of the user in the industrial control network, including whether the e-mail is a phishing mail or not, whether the e-mail contains illegal links or attachments or not;
the device features include multidimensional features extracted from industrial control network device configuration information and log information, wherein:
the equipment configuration information comprises equipment manufacturer, version, model, whether unnecessary services and ports with potential safety hazards are started, whether passwords need to be input during login, whether related strategies are set, only authorized IP addresses are allowed to adopt TELNET and SSH protocol remote login management, whether SNMP services are started, whether weak passwords exist, whether a system self-contained log audit function is started, whether a Syslog server is designated, and whether safety strategies are started; the log information comprises relevant characteristics mined from the equipment running log, including running time and equipment state characteristics;
the flow characteristics comprise four types of connection basic characteristics, connection content characteristics, flow statistical characteristics based on time and flow statistical characteristics based on a host, wherein:
the connection basic characteristics comprise connection duration, protocol type, connection state, network service type of the target host, and byte number characteristics of data from the source host to the target host; the connection content characteristics comprise the number of times of accessing system sensitive files and directories, the number of times of failed login attempts, whether a login state is successful or not, whether super user authority is obtained or not and the number of times of root user access; the time-based traffic statistic characteristics comprise the number of connections which have the same target equipment or the same service as the current connection within a certain time window and the percentage characteristics of the error connections existing in the connections; the host-based traffic statistics include the number of connections having the same target device or the same service as the current connection within a certain connection number pane, and the percentage of faulty connections present therein.
6. The cooperative intrusion detection method for industrial control networks according to claim 1, wherein the process of step 4 is specifically:
mining semantic information of the extracted user characteristics, equipment characteristics and flow characteristics according to the context semantic environment by combining with industrial control network asset equipment information, and extracting key effective characteristics in the semantic information;
and extracting an incidence relation among the features based on the key effective features, and associating the multidimensional features to form a collaborative feature system for industrial control network intrusion detection.
7. The cooperative intrusion detection method for industrial control networks according to claim 1, wherein the process of step 5 is specifically:
on the basis of the constructed cooperative characteristic system, training a model for intrusion detection by adopting a long-time memory network algorithm LSTM, determining model parameters, and regularly adjusting the model according to data acquired in real time to obtain a trained intrusion detection model;
and inputting the data of the industrial control network characteristic system detected in real time into the trained intrusion detection model to realize intrusion detection of the industrial control network and give an alarm for intrusion behavior.
8. The cooperative intrusion detection method for industrial control networks according to claim 7, wherein the intrusion detection for the industrial control network is realized by inputting the real-time detected data of the industrial control network feature system into the trained intrusion detection model, and the specific process is as follows:
inputting the data of the industrial control network characteristic system detected in real time into the trained intrusion detection model, and calculating the data through a forgetting gate, an input gate and an output gate;
firstly, data passes through a forgetting gate, the forgetting gate processes the reservation or the abandonment of information through a Sigmoid unit, and the formula is shown as (1):
ft=σ(Wf·[ht-1,xt]+bf) (1)
wherein σ represents a Sigmoid function; h ist-1Represents the output of the last cell; x is the number oftRepresenting the input of the current cell; w is a weight parameter; b is an adjustment coefficient;
the next operation is then to decide which new information to add to the cell state, including deciding which information to update by input gates, and calculating and updating new candidate cell information, as shown in the following formula:
it=σ(Wi·[ht-1,xt]+bi) (2)
formula (2) shows that which information needs to be updated is determined by a Sigmoid layer; formula (3) represents that the alternative update content is calculated through one tanh layer; equation (4) shows that combining the two updates the cell state;
finally, the final output is obtained through an operation called output gate, which includes determining an output portion and a final output portion, and the specific formula is as follows:
ot=σ(Wo·[ht-1,xt]+bo) (5)
ht=ot×tanh(Ct) (6)
determining which part of the cell state will be output through the Sigmoid layer of formula (5); the cell state is then processed through the tanh layer by equation (6) and multiplied by the output of equation (5) to obtain the final output.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011313226.9A CN112491860A (en) | 2020-11-20 | 2020-11-20 | Industrial control network-oriented collaborative intrusion detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011313226.9A CN112491860A (en) | 2020-11-20 | 2020-11-20 | Industrial control network-oriented collaborative intrusion detection method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112491860A true CN112491860A (en) | 2021-03-12 |
Family
ID=74932553
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011313226.9A Pending CN112491860A (en) | 2020-11-20 | 2020-11-20 | Industrial control network-oriented collaborative intrusion detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112491860A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114095208A (en) * | 2021-10-26 | 2022-02-25 | 深信服科技股份有限公司 | Safety detection method and device, electronic equipment and medium |
CN114172699A (en) * | 2021-11-19 | 2022-03-11 | 北京计算机技术及应用研究所 | Industrial control network security event correlation analysis method |
CN114401135A (en) * | 2022-01-14 | 2022-04-26 | 国网河北省电力有限公司电力科学研究院 | Internal threat detection method based on LSTM-Attention user and entity behavior analysis technology |
CN116668436A (en) * | 2023-08-02 | 2023-08-29 | 安徽华云安科技有限公司 | Distributed data acquisition method and system based on SMB protocol |
WO2024060245A1 (en) * | 2022-09-23 | 2024-03-28 | 西门子股份公司 | Method and apparatus for analyzing device trust level, electronic device, and storage medium |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
CN109861995A (en) * | 2019-01-17 | 2019-06-07 | 安徽谛听信息科技有限公司 | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium |
CN110166484A (en) * | 2019-06-06 | 2019-08-23 | 中国石油大学(华东) | A kind of industrial control system intrusion detection method based on LSTM-Attention network |
CN110495138A (en) * | 2017-05-31 | 2019-11-22 | 西门子股份公司 | The monitoring method of industrial control system and its network security |
AU2020102142A4 (en) * | 2020-09-04 | 2020-10-15 | Acharya, Biswaranjan MR | Technique for multilayer protection from quantifiable vulnerabilities in industrial cyber physical system |
-
2020
- 2020-11-20 CN CN202011313226.9A patent/CN112491860A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110495138A (en) * | 2017-05-31 | 2019-11-22 | 西门子股份公司 | The monitoring method of industrial control system and its network security |
CN108259462A (en) * | 2017-11-29 | 2018-07-06 | 国网吉林省电力有限公司信息通信公司 | Big data Safety Analysis System based on mass network monitoring data |
CN109861995A (en) * | 2019-01-17 | 2019-06-07 | 安徽谛听信息科技有限公司 | A kind of safe big data intelligent analysis method of cyberspace, computer-readable medium |
CN110166484A (en) * | 2019-06-06 | 2019-08-23 | 中国石油大学(华东) | A kind of industrial control system intrusion detection method based on LSTM-Attention network |
AU2020102142A4 (en) * | 2020-09-04 | 2020-10-15 | Acharya, Biswaranjan MR | Technique for multilayer protection from quantifiable vulnerabilities in industrial cyber physical system |
Non-Patent Citations (1)
Title |
---|
MD DELWAR HOSSAIN 等: "LSTM-based Network Attack Detection: Performance Comparison by Hyper-parameter Values Tuning", 《 2020 7TH IEEE INTERNATIONAL CONFERENCE ON CYBER SECURITY AND CLOUD COMPUTING (CSCLOUD)》 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114095208A (en) * | 2021-10-26 | 2022-02-25 | 深信服科技股份有限公司 | Safety detection method and device, electronic equipment and medium |
CN114095208B (en) * | 2021-10-26 | 2023-12-29 | 深信服科技股份有限公司 | Security detection method, security detection device, electronic equipment and medium |
CN114172699A (en) * | 2021-11-19 | 2022-03-11 | 北京计算机技术及应用研究所 | Industrial control network security event correlation analysis method |
CN114401135A (en) * | 2022-01-14 | 2022-04-26 | 国网河北省电力有限公司电力科学研究院 | Internal threat detection method based on LSTM-Attention user and entity behavior analysis technology |
WO2024060245A1 (en) * | 2022-09-23 | 2024-03-28 | 西门子股份公司 | Method and apparatus for analyzing device trust level, electronic device, and storage medium |
CN116668436A (en) * | 2023-08-02 | 2023-08-29 | 安徽华云安科技有限公司 | Distributed data acquisition method and system based on SMB protocol |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112491860A (en) | Industrial control network-oriented collaborative intrusion detection method | |
CN109962891B (en) | Method, device and equipment for monitoring cloud security and computer storage medium | |
CN105208037B (en) | A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection | |
CN111245793A (en) | Method and device for analyzing abnormity of network data | |
CN105024877B (en) | A kind of Hadoop malicious node detecting systems based on user's behaviors analysis | |
Catak et al. | Distributed denial of service attack detection using autoencoder and deep neural networks | |
CN108259498B (en) | Intrusion detection method and system based on BP algorithm of artificial bee colony optimization | |
CN112468347B (en) | Security management method and device for cloud platform, electronic equipment and storage medium | |
WO2013055807A1 (en) | Detecting emergent behavior in communications networks | |
CN109818964B (en) | DDoS attack detection method, device, equipment and storage medium | |
CN113094707B (en) | Lateral movement attack detection method and system based on heterogeneous graph network | |
CN115134099B (en) | Network attack behavior analysis method and device based on full flow | |
CN112560029A (en) | Website content monitoring and automatic response protection method based on intelligent analysis technology | |
CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
CN111049827A (en) | Network system safety protection method, device and related equipment | |
CN112261042B (en) | Anti-seepage system based on attack hazard assessment | |
CN115795330A (en) | Medical information anomaly detection method and system based on AI algorithm | |
Elfeshawy et al. | Divided two-part adaptive intrusion detection system | |
CN113645181A (en) | Distributed protocol attack detection method and system based on isolated forest | |
CN115766081A (en) | Abnormal flow detection method and device for power industrial control cloud platform | |
CN115883213A (en) | APT detection method and system based on continuous time dynamic heterogeneous graph neural network | |
Moussas et al. | Adaptive network anomaly detection using bandwidth utilization data | |
EP2766814B1 (en) | Detecting emergent behavior in communications networks | |
KR102592868B1 (en) | Methods and electronic devices for analyzing cybersecurity threats to organizations | |
Madiba et al. | Evaluation of Intrusion Detection System for the Distributed Denial of Service Attack on Internet of Things in Fog Computing Environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210312 |
|
RJ01 | Rejection of invention patent application after publication |