CN113691505B - Industrial internet intrusion detection method based on big data - Google Patents

Industrial internet intrusion detection method based on big data Download PDF

Info

Publication number
CN113691505B
CN113691505B CN202110897841.7A CN202110897841A CN113691505B CN 113691505 B CN113691505 B CN 113691505B CN 202110897841 A CN202110897841 A CN 202110897841A CN 113691505 B CN113691505 B CN 113691505B
Authority
CN
China
Prior art keywords
terminal
target
attack
state
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110897841.7A
Other languages
Chinese (zh)
Other versions
CN113691505A (en
Inventor
黎阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gu'an Julong Automation Equipment Co ltd
Original Assignee
Gu'an Julong Automation Equipment Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gu'an Julong Automation Equipment Co ltd filed Critical Gu'an Julong Automation Equipment Co ltd
Priority to CN202110897841.7A priority Critical patent/CN113691505B/en
Publication of CN113691505A publication Critical patent/CN113691505A/en
Application granted granted Critical
Publication of CN113691505B publication Critical patent/CN113691505B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to an industrial internet intrusion detection method based on big data, which comprises the following steps: and generating a multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial Internet. Establishing a behavior prediction function according to the first timing behavior characteristic and the second timing behavior characteristic, predicting a first behavior characteristic and a second behavior characteristic of a target terminal at the next moment according to the behavior prediction function, the first behavior characteristic and the second behavior characteristic of the target terminal at the current moment to determine a timing sequence operation direction of the target terminal at the next moment, and then obtaining a boundary point of a multi-dimensional steady-state domain according to the timing sequence operation direction of the target terminal at the next moment; and calculating the distance between the state point of the target terminal at the current moment and the boundary point of the multi-dimensional steady-state domain to obtain a domain boundary distance, and intercepting all operation behaviors of the target terminal when the domain boundary distance is smaller than a domain boundary threshold value.

Description

Industrial Internet intrusion detection method based on big data
Technical Field
The invention relates to the field of big data and industrial Internet, in particular to an industrial Internet intrusion detection method based on big data.
Background
With the continuous deepening of the integration of industrialization and informatization, the penetration of industrial internet and manufacturing industry is accelerated, the transition of industrial production equipment from digitalization to networking is promoted, the transition of industrial production environment from closing to opening is promoted, and the transition of production process from automation to intellectualization is promoted. Industrial equipment and systems of physical space and manufacturing, management and service processes are mapped to network space through digital technology, the security boundary of information systems and industrial systems is continuously blurred, and the importance and urgency of industrial internet security protection are increasingly highlighted. In order to meet new requirements, new characteristics and new trends of industrial protection object security guarantee, industrial internet security boundaries are continuously extended and a security technology system is rapidly evolved.
In recent years, frequent industrial internet security events have caused increasingly severe economic losses and more widespread and severe social impacts for industrial enterprises. The platform and the equipment are affected by network boundary ambiguity to become a main attack target, the industrial internet platform is still in a primary stage, a safety protection system is still imperfect, security vulnerabilities such as weak passwords, remote command execution, information leakage and authority bypass exist generally, the platform networking equipment is frequently subjected to scanning detection and malicious program monitoring, and important sensitive data is leaked at times.
Disclosure of Invention
In view of this, the present invention provides a big data-based industrial internet intrusion detection method, which includes: generating a multi-dimensional steady-state domain based on terminal behavior data of all first terminals and historical intrusion data of the industrial internet;
acquiring terminal behavior data of a target terminal, and acquiring terminal receiving data and terminal sending data of the target terminal based on the terminal behavior data of the target terminal;
extracting the time sequence characteristics of the terminal sending data of the target terminal, and taking the time sequence characteristics as the first time sequence behavior characteristics of the target terminal; extracting the time sequence characteristics of the terminal receiving data of the target terminal, and taking the time sequence characteristics as second time sequence behavior characteristics of the target terminal; the first time-series behavior characteristic comprises a data transmission characteristic recorded in time series; the second time series behavior characteristic comprises a chronologically recorded data reception characteristic;
establishing a behavior prediction function based on the first time sequence behavior characteristic and the second time sequence behavior characteristic, extracting a first behavior characteristic of a target terminal at the current moment based on the first time sequence behavior characteristic, and then extracting a second behavior characteristic of the target terminal at the current moment based on the second time sequence behavior characteristic; the first behavior feature is a data transmission feature; the second behavior feature is a data reception feature;
predicting a first behavior characteristic of the target terminal at the next moment and a second behavior characteristic of the target terminal at the next moment based on the behavior prediction function, the first behavior characteristic of the target terminal at the current moment and the second behavior characteristic of the target terminal at the current moment;
acquiring a first behavior state vector of the target terminal at the current moment, a second behavior state vector of the target terminal at the current moment, a first behavior state vector of the target terminal at the next moment and a second behavior state vector of the target terminal at the next moment based on the first behavior feature of the target terminal at the current moment, the second behavior feature of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
determining the time sequence running direction of the target terminal at the next moment based on the first behavior state vector of the target terminal at the current moment, the second behavior state vector of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
acquiring a state point of the target terminal at the current moment based on the first behavior state vector of the target terminal at the current moment and the second behavior state vector of the target terminal at the current moment;
continuously attacking the defense state of the industrial internet based on the time sequence running direction to obtain boundary points of the multi-dimensional stable domain, calculating the distance between the state point of the target terminal at the current moment and the boundary points of the multi-dimensional stable domain, and taking the distance as the domain boundary distance; and intercepting all operation behaviors of the target terminal when the domain boundary distance is smaller than a domain boundary threshold value.
According to a preferred embodiment, the target terminal is a terminal device accessing the industrial internet; the first terminal is terminal equipment which has historically accessed the industrial Internet; the second terminal is terminal equipment with intrusion behavior; the terminal device is a device having a data transmission function and a communication function, and includes: smart phones, smart watches, tablet computers, laptops and desktop computers.
According to a preferred embodiment, the generating of the multi-dimensional stable domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial internet comprises:
identifying all first terminals invading the industrial Internet based on historical invasion data of the industrial Internet and using the first terminals as second terminals; randomly selecting a second terminal, taking the second terminal as a target second terminal, and then acquiring terminal behavior data of the target second terminal;
acquiring terminal sending data and terminal receiving data of the target second terminal based on the terminal behavior data of the target second terminal, and extracting data characteristics of the terminal sending data and the terminal receiving data of the target second terminal to acquire terminal sending characteristics and terminal receiving characteristics of the target second terminal;
determining a plurality of network attack directions of a target second terminal based on terminal sending characteristics and terminal receiving characteristics of the target second terminal, continuously attacking the defense state of the industrial internet based on the plurality of network attack directions of the target second terminal, and stopping attacking until the defense state of the industrial internet is damaged to obtain a two-dimensional stable domain of the target second terminal;
selecting other second terminals as target second terminals, and repeatedly executing the steps until all the second terminals are traversed to obtain the two-dimensional stable domain of each second terminal;
and generating a multi-dimensional stable domain based on the two-dimensional stable domains of all the second terminals.
According to a preferred embodiment, obtaining the two-dimensional steady-state domain of the target second terminal based on a plurality of network attack directions of the target second terminal includes:
randomly selecting a network attack direction from a plurality of network attack directions of a target second terminal as a target network attack direction, and continuously attacking the defense state of the industrial internet based on the target network attack direction until the defense state of the industrial internet in the target network attack direction is damaged; the defense state of the industrial internet in the target network attack direction is destroyed, and the defense state of the industrial internet in the target network attack direction is converted from a stable state to a wave dynamic state;
acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state, and taking the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state as a defense damage point of the industrial internet in the target network attack direction;
selecting other network attack directions of the target second terminal as target network attack directions, and repeating the operation until all network attack directions of the target second terminal are traversed to obtain defense damage points of the industrial internet in each network attack direction of the target second terminal;
and connecting the industrial internet at the defense destruction point of each network attack direction of the target second terminal to obtain a two-dimensional steady-state domain of the target second terminal.
According to a preferred embodiment, determining a plurality of network attack directions of the target second terminal based on the terminal sending characteristics and the terminal receiving characteristics of the target second terminal comprises:
generating a sending characteristic vector based on the terminal sending characteristic, generating a receiving characteristic vector based on the terminal receiving characteristic, and identifying a plurality of attack nodes of a target second terminal to the industrial internet based on the sending characteristic vector and the receiving characteristic vector;
acquiring a first node characteristic vector and a second node characteristic vector of each attack node; the first node feature vector represents data transmission features of an attack node; the second node feature vector represents the data receiving feature of the attack node;
acquiring all neighbor attack nodes of each attack node based on the first node characteristic vector and the second node characteristic vector of each attack node, and sequentially connecting each attack node with the neighbor attack nodes thereof to generate an attack curve of each attack node;
and taking the tangential direction of the attack curve of each attack node as the network attack direction of each attack node, and then obtaining a plurality of network attack directions of the target second terminal based on the network attack directions of all the attack nodes.
According to a preferred embodiment, the obtaining of the neighboring attack node of the attack node based on the first node feature vector and the second node feature vector of the attack node comprises:
calculating the similarity between the first node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a first adjacent value of each attack node and other attack nodes;
calculating the similarity between the second node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a second adjacent value of each attack node and other attack nodes;
calculating the similarity between the first node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a third adjacent value of each attack node and other attack nodes;
and calculating the similarity between the second node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a fourth proximity value of each attack node and other attack nodes.
According to a preferred embodiment, the method for acquiring the neighbor attack node of the attack node based on the first node feature vector and the second node feature vector of the attack node comprises the following steps:
traversing all attack nodes, taking the traversed attack nodes as target attack nodes, and taking other attack nodes except the target attack nodes as candidate attack nodes of the target attack nodes;
traversing all candidate attack nodes of the target attack node, and taking the traversed candidate attack node as the target candidate attack node;
comparing the first proximity value, the second proximity value, the third proximity value and the fourth proximity value of the target attack node and the target candidate attack node with a first proximity threshold value, a second proximity threshold value, a third proximity threshold value and a fourth proximity threshold value respectively;
and when the first adjacent value of the target attack node and the target candidate attack node is greater than the first adjacent threshold, the second adjacent value is greater than the second adjacent threshold, the third adjacent value is less than the third adjacent threshold and the fourth adjacent value is less than the fourth adjacent threshold, the target candidate attack node is taken as a neighbor attack node of the target attack node.
According to a preferred embodiment, acquiring the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state comprises the following steps:
acquiring network structure data of the industrial Internet, network structure data in a stable state and network structure data in a wave dynamic state from a database, and determining a steady-state constraint condition of the industrial Internet based on the network structure parameters of the industrial Internet, the network structure data in the stable state and the network structure data in the wave dynamic state;
acquiring historical intrusion data of the industrial internet from a database, extracting intrusion time sequence characteristics of the historical intrusion data, and then acquiring the defense state of the industrial internet at the current moment;
predicting the defense state of the industrial internet at the next moment based on the intrusion time sequence characteristics and the defense state of the industrial internet at the current moment, acquiring the defense state vector at the current moment based on the defense state of the industrial internet at the current moment, and acquiring the defense state vector at the next moment based on the defense state of the industrial internet at the next moment;
calculating the network attack direction at the next moment based on the defense state vector at the current moment and the defense state vector at the next moment, and extracting the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamic state;
calculating the similarity between the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamics, and verifying whether the defense state of the industrial internet at the current moment is in wave dynamics or not based on the steady-state constraint condition and the similarity;
when the defense state of the industrial internet at the current moment is in wave dynamic state, generating a state point at the current moment based on the defense state vector at the current moment, and taking the state point as a limit point;
and when the defense state of the current moment is in a stable state, taking the next moment as the current moment, repeating the steps until the defense state of the industrial internet is in wave dynamics, generating a state point of the current moment based on the defense state vector of the current moment, and taking the state point as a limit point.
According to a preferred embodiment, when the network structure characteristics of the industrial internet meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet in wave dynamic state is less than the similarity threshold value, the defense state of the industrial internet is in a stable state; the stable state is a defense state of the industrial internet and is a normal state;
when the network structure characteristics of the industrial internet do not meet the steady-state constraint conditions and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet is greater than or equal to a similarity threshold value, the defense state of the industrial internet is in wave dynamics; the fluctuation state is a defense state of the industrial internet and is a destruction state;
when the network structure characteristics of the industrial internet do not meet the steady-state constraint conditions and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the industrial internet in the wave dynamic state is smaller than a similarity threshold value, the defense state of the industrial internet is in a critical state; the critical state is a critical state that the defense state of the industrial internet is in a stable state and wave dynamic state.
The invention has the following beneficial effects: the method generates the multi-dimensional steady-state domain through the terminal behavior data of the first terminal and the historical intrusion data of the industrial internet, and judges the domain boundary distance between the target terminal and the multi-dimensional steady-state domain according to the terminal behavior data of the target terminal so as to judge whether the target terminal is an intrusion terminal. In addition, the invention realizes intrusion detection on the industrial Internet platform, intercepts all operation behaviors of the target terminal when the target terminal is the intrusion terminal so as to ensure the safety of data in the industrial Internet and avoid economic loss caused by data leakage.
Drawings
Fig. 1 is a flowchart of a big data-based intrusion detection method for an industrial internet according to an exemplary embodiment.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, in one embodiment, a big data based industrial internet intrusion detection method may include:
and S1, generating a multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial Internet.
In one embodiment, the generating the multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and the historical intrusion data of the industrial internet comprises:
identifying all first terminals invading the industrial Internet based on historical invasion data of the industrial Internet and using the first terminals as second terminals; randomly selecting a second terminal, taking the second terminal as a target second terminal, and then acquiring terminal behavior data of the target second terminal;
acquiring terminal sending data and terminal receiving data of the target second terminal based on the terminal behavior data of the target second terminal, and extracting data characteristics of the terminal sending data and the terminal receiving data of the target second terminal to acquire terminal sending characteristics and terminal receiving characteristics of the target second terminal;
determining a plurality of network attack directions of a target second terminal based on terminal sending characteristics and terminal receiving characteristics of the target second terminal, continuously attacking the defense state of the industrial internet based on the plurality of network attack directions of the target second terminal, and stopping attacking until the defense state of the industrial internet is damaged to obtain a two-dimensional stable domain of the target second terminal;
selecting other second terminals as target second terminals, and repeatedly executing the steps until all the second terminals are traversed to obtain a two-dimensional steady-state domain of each second terminal;
and generating a multi-dimensional stable domain based on the two-dimensional stable domains of all the second terminals.
In one embodiment, obtaining the two-dimensional steady-state domain of the target second terminal based on a plurality of network attack directions of the target second terminal includes:
randomly selecting a network attack direction from a plurality of network attack directions of a target second terminal as a target network attack direction, and continuously attacking the defense state of the industrial internet based on the target network attack direction until the defense state of the industrial internet in the target network attack direction is damaged; the defense state of the industrial internet in the target network attack direction is destroyed, and the defense state of the industrial internet in the target network attack direction is converted from a stable state to a wave dynamic state;
acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state, and taking the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state as a defense damage point of the industrial internet in the target network attack direction;
selecting other network attack directions of the target second terminal as target network attack directions, and repeating the operation until all network attack directions of the target second terminal are traversed to obtain defense damage points of the industrial internet in each network attack direction of the target second terminal;
and connecting the industrial internet at the defense destruction point of each network attack direction of the target second terminal to obtain a two-dimensional steady-state domain of the target second terminal.
In one embodiment, determining a number of network attack directions of the target second terminal based on the terminal transmission characteristics and the terminal reception characteristics of the target second terminal comprises:
generating a sending characteristic vector based on the terminal sending characteristic, generating a receiving characteristic vector based on the terminal receiving characteristic, and identifying a plurality of attack nodes of a target second terminal to the industrial internet based on the sending characteristic vector and the receiving characteristic vector;
acquiring a first node characteristic vector and a second node characteristic vector of each attack node; the first node feature vector represents data transmission features of an attack node; the second node feature vector represents the data receiving feature of the attack node;
acquiring all neighbor attack nodes of each attack node based on the first node characteristic vector and the second node characteristic vector of each attack node, and sequentially connecting each attack node with the neighbor attack nodes thereof to generate an attack curve of each attack node;
and taking the tangential direction of the attack curve of each attack node as the network attack direction of each attack node, and then obtaining a plurality of network attack directions of the target second terminal based on the network attack directions of all the attack nodes.
In one embodiment, obtaining a neighbor attacking node of an attacking node based on a first node feature vector and a second node feature vector of the attacking node comprises:
calculating the similarity between the first node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a first adjacent value of each attack node and other attack nodes;
calculating the similarity between the second node characteristic vector of each attack node and the second node characteristic vectors of other attack nodes to obtain a second adjacent value of each attack node and other attack nodes;
calculating the similarity between the first node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a third adjacent value of each attack node and other attack nodes;
and calculating the similarity between the second node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a fourth proximity value of each attack node and other attack nodes.
In one embodiment, obtaining a neighbor attacking node of an attacking node based on a first node feature vector and a second node feature vector of the attacking node comprises:
traversing all attack nodes, taking the traversed attack nodes as target attack nodes, and taking other attack nodes except the target attack nodes as candidate attack nodes of the target attack nodes;
traversing all candidate attack nodes of the target attack node, and taking the traversed candidate attack node as the target candidate attack node;
comparing the first proximity value, the second proximity value, the third proximity value and the fourth proximity value of the target attack node and the target candidate attack node with a first proximity threshold value, a second proximity threshold value, a third proximity threshold value and a fourth proximity threshold value respectively;
and when the first adjacent value of the target attack node and the target candidate attack node is greater than the first adjacent threshold, the second adjacent value is greater than the second adjacent threshold, the third adjacent value is less than the third adjacent threshold and the fourth adjacent value is less than the fourth adjacent threshold, the target candidate attack node is taken as a neighbor attack node of the target attack node.
In one embodiment, acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state comprises the following steps:
acquiring network structure data of the industrial Internet, network structure data in a stable state and network structure data in a wave dynamic state from a database, and determining a steady-state constraint condition of the industrial Internet based on the network structure parameters of the industrial Internet, the network structure data in the stable state and the network structure data in the wave dynamic state;
acquiring historical intrusion data of the industrial internet from a database, extracting intrusion time sequence characteristics of the historical intrusion data, and then acquiring the defense state of the industrial internet at the current moment;
predicting the defense state of the industrial internet at the next moment based on the intrusion time sequence characteristics and the defense state of the industrial internet at the current moment, acquiring the defense state vector at the current moment based on the defense state of the industrial internet at the current moment, and acquiring the defense state vector at the next moment based on the defense state of the industrial internet at the next moment;
calculating the network attack direction at the next moment based on the defense state vector at the current moment and the defense state vector at the next moment, and extracting the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamic state;
calculating the similarity between the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamics, and verifying whether the defense state of the industrial internet at the current moment is in wave dynamics or not based on the steady-state constraint condition and the similarity;
when the defense state of the industrial internet at the current moment is in wave dynamic state, generating a state point at the current moment based on the defense state vector at the current moment, and taking the state point as a limit point;
and when the defense state of the current moment is in a stable state, taking the next moment as the current moment, repeating the steps until the defense state of the industrial internet is in wave dynamics, generating a state point of the current moment based on the defense state vector of the current moment, and taking the state point as a limit point.
In one embodiment, the defense state of the industrial internet is in a stable state when the network structure characteristics of the industrial internet meet a steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet in wave dynamics is less than a similarity threshold value; the stable state is a defense state of the industrial internet and is a normal state;
when the network structure characteristics of the industrial internet do not meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet is greater than or equal to the similarity threshold value when the wave dynamics is achieved, the defense state of the industrial internet is in the wave dynamics; the fluctuation state is a defense state of the industrial internet and is a destruction state;
when the network structure characteristics of the industrial internet do not meet the steady-state constraint condition and the similarity between the network structure characteristics of the industrial internet and the network structure characteristics of the defense state of the industrial internet is in the wave dynamic state is smaller than a similarity threshold value, the defense state of the industrial internet is in a critical state; the critical state is a critical state that the defense state of the industrial internet is in a stable state and wave dynamic state.
In one embodiment, the target terminal is a terminal device accessing the industrial internet; the first terminal is a terminal device which has historically accessed the industrial Internet; the second terminal is terminal equipment with intrusion behavior; the terminal equipment is equipment with data transmission function and communication function, and it includes: smart phones, smart watches, tablet computers, laptops and desktop computers.
S2, acquiring terminal behavior data of the target terminal, and acquiring terminal receiving data and terminal sending data of the target terminal based on the terminal behavior data of the target terminal; extracting time sequence characteristics of terminal sending data of a target terminal, and taking the time sequence characteristics as first time sequence behavior characteristics of the target terminal; and extracting the time sequence characteristics of the data received by the terminal of the target terminal, and taking the time sequence characteristics as second time sequence behavior characteristics of the target terminal.
The terminal behavior data comprises terminal sending data and terminal receiving data, the terminal sending data is data sent to the industrial internet by the terminal equipment, and the terminal receiving data is data received by the terminal equipment from the industrial internet.
The first time series behavior characteristic comprises a chronologically recorded data transmission characteristic and the second time series behavior characteristic comprises a chronologically recorded data reception characteristic.
S3, establishing a behavior prediction function according to the first time sequence behavior characteristics and the second time sequence behavior characteristics, extracting the first behavior characteristics of the target terminal at the current time according to the first time sequence behavior characteristics, and then extracting the second behavior characteristics of the target terminal at the current time according to the second time sequence behavior characteristics.
The first behavior feature is a data transmission feature and the second behavior feature is a data reception feature.
And S4, predicting the first behavior characteristic of the target terminal at the next moment and the second behavior characteristic of the target terminal at the next moment based on the behavior prediction function, the first behavior characteristic of the target terminal at the current moment and the second behavior characteristic of the target terminal at the current moment.
S5, acquiring a first behavior state vector of the target terminal at the current moment, a second behavior state vector of the target terminal at the current moment, a first behavior state vector of the target terminal at the next moment and a second behavior state vector of the target terminal at the next moment based on the first behavior feature of the target terminal at the current moment, the second behavior feature of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment.
The first behavior state vector characterizes a data transmission state and the second behavior state vector characterizes a data reception state.
And S6, determining the time sequence running direction of the target terminal at the next moment based on the first behavior state vector of the target terminal at the current moment, the second behavior state vector of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment.
S7, acquiring a state point of the target terminal at the current moment based on the first behavior state vector of the target terminal at the current moment and the second behavior state vector of the target terminal at the current moment; continuously attacking the defense state of the industrial internet based on the time sequence running direction to obtain boundary points of the multi-dimensional stable domain, calculating the distance between the state point of the target terminal at the current moment and the boundary points of the multi-dimensional stable domain, and taking the distance as the domain boundary distance of the target terminal; and intercepting all operation behaviors of the target terminal when the domain boundary distance of the target terminal is smaller than the domain boundary threshold value.
And the state point of the target terminal represents the position of the running state of the target terminal in the multidimensional steady-state domain. And the boundary point of the multi-dimensional steady-state domain is at the boundary position of the multi-dimensional steady-state domain.
The domain boundary threshold is used for identifying whether the target terminal has the intrusion behavior, when the domain boundary distance of the target terminal is larger than the domain boundary threshold, the target terminal does not have the intrusion behavior, and when the domain boundary distance of the target terminal is smaller than the domain boundary threshold, the target terminal has the intrusion behavior.
The method generates the multi-dimensional steady-state domain through the terminal behavior data of the first terminal and the historical intrusion data of the industrial internet, and judges the domain boundary distance between the target terminal and the multi-dimensional steady-state domain according to the terminal behavior data of the target terminal so as to judge whether the target terminal is an intrusion terminal. In addition, the invention realizes intrusion detection on the industrial Internet platform, intercepts all operation behaviors of the target terminal when the target terminal is the intrusion terminal so as to ensure the safety of data in the industrial Internet and avoid economic loss caused by data leakage.
Various modifications and alterations of this invention may be made by those skilled in the art without departing from the spirit and scope of this invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (7)

1. The industrial internet intrusion detection method based on big data is characterized in that a multi-dimensional steady-state domain is generated based on terminal behavior data of all first terminals and historical intrusion data of the industrial internet;
acquiring terminal behavior data of a target terminal, and acquiring terminal receiving data and terminal sending data of the target terminal based on the terminal behavior data of the target terminal; the target terminal is a terminal device which is accessing the industrial Internet; the first terminal is terminal equipment which has historically accessed the industrial Internet;
extracting the time sequence characteristics of the terminal sending data of the target terminal, and taking the time sequence characteristics as the first time sequence behavior characteristics of the target terminal; extracting the time sequence characteristics of the terminal receiving data of the target terminal, and taking the time sequence characteristics as second time sequence behavior characteristics of the target terminal; the first time-series behavior characteristic comprises a data transmission characteristic recorded in time series; the second time-series behavior characteristic comprises a chronologically recorded data reception characteristic;
establishing a behavior prediction function based on the first time sequence behavior characteristic and the second time sequence behavior characteristic, extracting a first behavior characteristic of a target terminal at the current moment based on the first time sequence behavior characteristic, and then extracting a second behavior characteristic of the target terminal at the current moment based on the second time sequence behavior characteristic; the first behavior feature is a data transmission feature; the second behavior feature is a data reception feature;
predicting a first behavior characteristic of the target terminal at the next moment and a second behavior characteristic of the target terminal at the next moment based on the behavior prediction function, the first behavior characteristic of the target terminal at the current moment and the second behavior characteristic of the target terminal at the current moment;
acquiring a first behavior state vector of the target terminal at the current moment, a second behavior state vector of the target terminal at the current moment, a first behavior state vector of the target terminal at the next moment and a second behavior state vector of the target terminal at the next moment based on the first behavior feature of the target terminal at the current moment, the second behavior feature of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
determining the time sequence running direction of the target terminal at the next moment based on the first behavior state vector of the target terminal at the current moment, the second behavior state vector of the target terminal at the current moment, the first behavior state vector of the target terminal at the next moment and the second behavior state vector of the target terminal at the next moment;
acquiring a state point of the target terminal at the current moment based on the first behavior state vector of the target terminal at the current moment and the second behavior state vector of the target terminal at the current moment;
continuously attacking the defense state of the industrial internet based on the time sequence running direction to obtain boundary points of the multi-dimensional stable domain, calculating the distance between the state point of the target terminal at the current moment and the boundary points of the multi-dimensional stable domain, and taking the distance as the domain boundary distance; and intercepting all operation behaviors of the target terminal when the domain boundary distance is smaller than a domain boundary threshold value.
2. The method of claim 1, wherein generating the multi-dimensional steady-state domain based on the terminal behavior data of all the first terminals and historical intrusion data of the industrial internet comprises:
identifying all first terminals invading the industrial Internet based on historical invasion data of the industrial Internet and using the first terminals as second terminals; randomly selecting a second terminal, taking the second terminal as a target second terminal, and then acquiring terminal behavior data of the target second terminal;
acquiring terminal sending data and terminal receiving data of the target second terminal based on the terminal behavior data of the target second terminal, and extracting data characteristics of the terminal sending data and the terminal receiving data of the target second terminal to acquire terminal sending characteristics and terminal receiving characteristics of the target second terminal;
determining a plurality of network attack directions of a target second terminal based on terminal sending characteristics and terminal receiving characteristics of the target second terminal, continuously attacking the defense state of the industrial internet based on the plurality of network attack directions of the target second terminal, and stopping attacking until the defense state of the industrial internet is damaged to obtain a two-dimensional stable domain of the target second terminal;
selecting other second terminals as target second terminals, and repeatedly executing the steps until all the second terminals are traversed to obtain a two-dimensional steady-state domain of each second terminal;
and generating a multi-dimensional stable domain based on the two-dimensional stable domains of all the second terminals.
3. The method of claim 2, wherein obtaining the two-dimensional steady-state domain of the target second terminal based on a plurality of network attack directions of the target second terminal comprises:
randomly selecting a network attack direction from a plurality of network attack directions of a target second terminal as a target network attack direction, and continuously attacking the defense state of the industrial internet based on the target network attack direction until the defense state of the industrial internet in the target network attack direction is damaged; the defense state of the industrial internet in the target network attack direction is destroyed, and the defense state of the industrial internet in the target network attack direction is converted from a stable state to a wave dynamic state;
acquiring a limit point of the industrial internet when the defense state of the target network attack direction is converted from a stable state to a wave dynamic state, and taking the limit point of the industrial internet when the defense state of the target network attack direction is converted from the stable state to the wave dynamic state as a defense damage point of the industrial internet in the target network attack direction;
selecting other network attack directions of the target second terminal as target network attack directions, and repeating the operation until all network attack directions of the target second terminal are traversed to obtain defense damage points of the industrial internet in each network attack direction of the target second terminal;
and connecting the industrial internet at the defense destruction point of each network attack direction of the target second terminal to obtain a two-dimensional steady-state domain of the target second terminal.
4. The method of claim 3, wherein determining the plurality of network attack directions for the target second terminal based on the terminal transmission characteristics and the terminal reception characteristics of the target second terminal comprises:
generating a sending characteristic vector based on the terminal sending characteristic, generating a receiving characteristic vector based on the terminal receiving characteristic, and identifying a plurality of attack nodes of a target second terminal to the industrial internet based on the sending characteristic vector and the receiving characteristic vector;
acquiring a first node characteristic vector and a second node characteristic vector of each attack node; the first node feature vector represents data transmission features of an attack node; the second node feature vector represents the data receiving feature of the attack node;
acquiring all neighbor attack nodes of each attack node based on the first node characteristic vector and the second node characteristic vector of each attack node, and sequentially connecting each attack node with the neighbor attack nodes thereof to generate an attack curve of each attack node;
and taking the tangential direction of the attack curve of each attack node as the network attack direction of each attack node, and then obtaining a plurality of network attack directions of the target second terminal based on the network attack directions of all the attack nodes.
5. The method of claim 4, wherein obtaining neighboring attacking nodes of the attacking node based on the first node feature vector and the second node feature vector of the attacking node comprises:
calculating the similarity between the first node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a first adjacent value of each attack node and other attack nodes;
calculating the similarity between the second node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a second adjacent value of each attack node and other attack nodes;
calculating the similarity between the first node feature vector of each attack node and the second node feature vectors of other attack nodes to obtain a third adjacent value of each attack node and other attack nodes;
and calculating the similarity between the second node feature vector of each attack node and the first node feature vectors of other attack nodes to obtain a fourth proximity value of each attack node and other attack nodes.
6. The method of claim 5, wherein obtaining neighboring attacking nodes of the attacking node based on the first node feature vector and the second node feature vector of the attacking node comprises:
traversing all attack nodes, taking the traversed attack nodes as target attack nodes, and taking other attack nodes except the target attack nodes as candidate attack nodes of the target attack nodes;
traversing all candidate attack nodes of the target attack node, and taking the traversed candidate attack node as the target candidate attack node;
comparing the first proximity value, the second proximity value, the third proximity value and the fourth proximity value of the target attack node and the target candidate attack node with a first proximity threshold value, a second proximity threshold value, a third proximity threshold value and a fourth proximity threshold value respectively;
and when the first adjacent value of the target attack node and the target candidate attack node is greater than the first adjacent threshold, the second adjacent value is greater than the second adjacent threshold, the third adjacent value is less than the third adjacent threshold and the fourth adjacent value is less than the fourth adjacent threshold, the target candidate attack node is taken as a neighbor attack node of the target attack node.
7. The method of claim 6, wherein obtaining the limit point of the industrial internet when the defense state of the target network attack direction is converted from the steady state to the wave dynamic state comprises:
acquiring network structure data of the industrial Internet, network structure data in a stable state and network structure data in a wave dynamic state from a database, and determining a steady-state constraint condition of the industrial Internet based on the network structure parameters of the industrial Internet, the network structure data in the stable state and the network structure data in the wave dynamic state;
acquiring historical intrusion data of the industrial internet from a database, extracting intrusion time sequence characteristics of the historical intrusion data, and then acquiring the defense state of the industrial internet at the current moment;
predicting the defense state of the industrial internet at the next moment based on the intrusion time sequence characteristics and the defense state of the industrial internet at the current moment, acquiring the defense state vector at the current moment based on the defense state of the industrial internet at the current moment, and acquiring the defense state vector at the next moment based on the defense state of the industrial internet at the next moment;
calculating the network attack direction at the next moment based on the defense state vector at the current moment and the defense state vector at the next moment, and extracting the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamic state;
calculating the similarity between the network structure characteristics of the industrial internet at the current moment and the network structure characteristics of the industrial internet when the defense state of the industrial internet is in wave dynamics, and verifying whether the defense state of the industrial internet at the current moment is in wave dynamics or not based on the steady-state constraint condition and the similarity;
when the defense state of the industrial internet at the current moment is in wave dynamic state, generating a state point at the current moment based on the defense state vector at the current moment, and taking the state point as a limit point;
and when the defense state of the current moment is in a stable state, taking the next moment as the current moment, repeating the steps until the defense state of the industrial internet is in wave dynamics, generating a state point of the current moment based on the defense state vector of the current moment, and taking the state point as a limit point.
CN202110897841.7A 2021-08-05 2021-08-05 Industrial internet intrusion detection method based on big data Active CN113691505B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110897841.7A CN113691505B (en) 2021-08-05 2021-08-05 Industrial internet intrusion detection method based on big data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110897841.7A CN113691505B (en) 2021-08-05 2021-08-05 Industrial internet intrusion detection method based on big data

Publications (2)

Publication Number Publication Date
CN113691505A CN113691505A (en) 2021-11-23
CN113691505B true CN113691505B (en) 2022-05-24

Family

ID=78578945

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110897841.7A Active CN113691505B (en) 2021-08-05 2021-08-05 Industrial internet intrusion detection method based on big data

Country Status (1)

Country Link
CN (1) CN113691505B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4545647B2 (en) * 2005-06-17 2010-09-15 富士通株式会社 Attack detection / protection system
CN103996077B (en) * 2014-05-22 2018-01-05 中国南方电网有限责任公司电网技术研究中心 A kind of electrical equipment malfunction Forecasting Methodology based on multidimensional time-series
US10476902B2 (en) * 2017-04-26 2019-11-12 General Electric Company Threat detection for a fleet of industrial assets
CN109951476B (en) * 2019-03-18 2021-06-22 中国科学院计算机网络信息中心 Attack prediction method and device based on time sequence and storage medium
CN112637207A (en) * 2020-12-23 2021-04-09 中国信息安全测评中心 Network security situation prediction method and device
CN112668688B (en) * 2020-12-30 2022-09-02 江西理工大学 Intrusion detection method, system, equipment and readable storage medium

Also Published As

Publication number Publication date
CN113691505A (en) 2021-11-23

Similar Documents

Publication Publication Date Title
CN114270351A (en) Data leakage detection
CN111274583A (en) Big data computer network safety protection device and control method thereof
CN113486334A (en) Network attack prediction method and device, electronic equipment and storage medium
Babun et al. A system-level behavioral detection framework for compromised CPS devices: Smart-grid case
CN113094707B (en) Lateral movement attack detection method and system based on heterogeneous graph network
CN112749097B (en) Performance evaluation method and device for fuzzy test tool
Otuoze et al. Electricity theft detection framework based on universal prediction algorithm
CN117216660A (en) Method and device for detecting abnormal points and abnormal clusters based on time sequence network traffic integration
Hegazy Tag Eldien, AS; Tantawy, MM; Fouda, MM; TagElDien, HA Real-time locational detection of stealthy false data injection attack in smart grid: Using multivariate-based multi-label classification approach
Rosenthal et al. ARBA: Anomaly and reputation based approach for detecting infected IoT devices
CN113378161A (en) Security detection method, device, equipment and storage medium
CN113691505B (en) Industrial internet intrusion detection method based on big data
Lee et al. AI-based network security enhancement for 5G industrial internet of things environments
CN111935085A (en) Method and system for detecting and protecting abnormal network behaviors of industrial control network
CN113452700B (en) Method, device, equipment and storage medium for processing safety information
CN115913652A (en) Abnormal access behavior detection method and device, electronic equipment and readable storage medium
CN114760140A (en) APT attack tracing graph analysis method and device based on cluster analysis
Guibene et al. A data mining-based intrusion detection system for cyber physical power systems
CN110798425B (en) Method, system and related device for detecting hacker attack behavior
CN113691506B (en) Intelligent medical platform intrusion detection system based on big data and Internet
CN117896186B (en) Vulnerability scanning method, system and storage medium based on log analysis
CN116318751B (en) Vulnerability identification method, device, equipment and storage medium
CN117240629B (en) Prediction method and prediction system based on network security intrusion
US20240179155A1 (en) Method and system for network security situation assessment
CN117544420B (en) Fusion system safety management method and system based on data analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20220505

Address after: 065500 North District of Gu'an Industrial Park, Langfang City, Hebei Province

Applicant after: GU'AN JULONG AUTOMATION EQUIPMENT Co.,Ltd.

Address before: 610000 Financial City, north section of Tianfu Avenue, Wuhou District, Chengdu, Sichuan

Applicant before: Li Yang

GR01 Patent grant
GR01 Patent grant