CN113779045B - Training method and training device for industrial control protocol data anomaly detection model - Google Patents

Training method and training device for industrial control protocol data anomaly detection model Download PDF

Info

Publication number
CN113779045B
CN113779045B CN202111337679.XA CN202111337679A CN113779045B CN 113779045 B CN113779045 B CN 113779045B CN 202111337679 A CN202111337679 A CN 202111337679A CN 113779045 B CN113779045 B CN 113779045B
Authority
CN
China
Prior art keywords
control protocol
industrial control
protocol data
sequence
feature vector
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111337679.XA
Other languages
Chinese (zh)
Other versions
CN113779045A (en
Inventor
丁醒醒
孙鹏程
刘萱
李瑞群
王潇茵
杜婉茹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Aerospace Hongkang Intelligent Technology Beijing Co ltd
Original Assignee
Aerospace Hongkang Intelligent Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aerospace Hongkang Intelligent Technology Beijing Co ltd filed Critical Aerospace Hongkang Intelligent Technology Beijing Co ltd
Priority to CN202111337679.XA priority Critical patent/CN113779045B/en
Publication of CN113779045A publication Critical patent/CN113779045A/en
Application granted granted Critical
Publication of CN113779045B publication Critical patent/CN113779045B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/22Indexing; Data structures therefor; Storage structures
    • G06F16/2228Indexing structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24568Data stream processing; Continuous queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/237Lexical tools
    • G06F40/242Dictionaries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • G06N3/084Backpropagation, e.g. using gradient descent

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Artificial Intelligence (AREA)
  • Software Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Biophysics (AREA)
  • Biomedical Technology (AREA)
  • Databases & Information Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

The training method and the training device of the industrial control protocol data anomaly detection model are disclosed, the industrial control protocol data anomaly detection model comprises a combined coding module, a pre-training model and a self-coding network, and the training method comprises the following steps: acquiring an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal; binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and converting the combined code into an index value so as to obtain an index sequence; converting the index sequence into a first feature vector sequence based on the pre-training model; and based on the self-coding network, converting the first characteristic vector sequence into a second characteristic vector sequence and performing loss calculation, thereby training the industrial control protocol data anomaly detection model. The training method can enable the trained model to accurately identify the abnormality of the industrial control protocol data under the condition of no label.

Description

Training method and training device for industrial control protocol data anomaly detection model
Technical Field
The present disclosure relates generally to the field of data anomaly detection technology, and more particularly, to a training method and a training apparatus for an industrial control protocol data anomaly detection model.
Background
The industrial control protocol has the characteristics of semi-open and semi-transparent, but many industrial control protocols do not fully consider the communication safety problem at the beginning of design, so that various abnormal messages cause the abnormality of master equipment or slave equipment, and a plurality of potential safety hazards exist.
Anomaly detection (or outlier detection) is the identification of rare events from events or observations that are suspected to be anomalous due to significant differences from most data. At present, no matter credit card fraud, spam fraud and other aspects of telecommunication fraud, network attack and the like exist security risks, but in industrial control protocol data flow, more special security threats face, because in the uninterrupted operation of an industrial control system, protective measures such as updating systems, patches and the like are difficult to achieve in real time. In consideration of the fact that abnormal data can be removed from data in abnormal detection, the influence of noise of the data on normal data is reduced, and therefore, the method has practical special significance in data safety aspect when the abnormal detection is carried out on industrial control protocol data.
The existing anomaly detection technology carries out anomaly detection on communication protocols, behavior data, network data, system states and the like in a data analysis mode, and also carries out anomaly detection based on a machine learning classification model, a clustering model and the like, and the models usually need data with anomaly labels, namely, whether the training data are anomalous or not needs to be added manually for supervision training. However, the difficulty of manually labeling tens of millions of pieces of data is enormous, and it also takes a lot of time to manually analyze the labeled data in large quantities.
Disclosure of Invention
The invention provides a training method and a training device for an industrial control protocol data anomaly detection model based on a new combined coding mode, so that the trained model can accurately identify the anomaly of the industrial control protocol data under the condition of no label.
In one general aspect, there is provided a training method for an industrial control protocol data anomaly detection model, where the industrial control protocol data anomaly detection model includes a combinatorial coding module, a pre-training model, and a self-coding network, and the training method includes: acquiring an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal; binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and converting the combined code into an index value so as to obtain an index sequence; converting the index sequence into a first feature vector sequence based on the pre-training model; and based on the self-coding network, converting the first characteristic vector sequence into a second characteristic vector sequence and performing loss calculation, thereby training the industrial control protocol data anomaly detection model.
Optionally, the industrial control protocol data stream includes a first number of hexadecimal numbers, and the index sequence includes a second number of index values, where the first number is 2 times the second number.
Optionally, the step of binding every two adjacent hexadecimal numbers in the industrial control protocol data stream to a combined code based on the combined coding module, and converting the combined code into an index value, so as to obtain an index sequence includes: binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code to obtain a sample sequence, wherein the sample sequence comprises a second number of combined codes; converting the sample sequence into an index sequence by converting the combined codes in the sample sequence into index values based on a preset index dictionary library, wherein each index value in the index dictionary library corresponds to one combined code.
Optionally, the index dictionary database includes 256 index values and corresponding relations of the combined codes.
Optionally, the step of converting the index sequence into a first feature vector sequence based on the pre-training model includes: converting the index sequence into a first feature vector sequence by converting the index values in the index sequence into feature vectors based on the pre-training model, wherein each index value is converted into a feature vector with preset dimensionality, and the first feature vector sequence comprises a second quantity of feature vectors.
Optionally, the step of converting the first feature vector sequence into a second feature vector sequence based on the self-coding network and performing loss calculation, so as to train the industrial control protocol data anomaly detection model includes: based on the self-coding network, performing dimensionality reduction compression and decoding reduction on each feature vector in the first feature vector sequence to obtain a second feature vector sequence, wherein the second feature vector sequence comprises a second number of feature vectors with preset dimensionality; and performing loss calculation on the industrial control protocol data anomaly detection model based on the first characteristic vector sequence and the second characteristic vector sequence.
Optionally, the self-coding network includes an encoder and a decoder, where the step of performing dimension reduction compression and decoding restoration on each feature vector in the first feature vector sequence based on the self-coding network to obtain a second feature vector sequence includes: performing dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder; and decoding and restoring each feature vector after dimension reduction compression based on the decoder to obtain a second feature vector sequence.
Optionally, the step of converting the first feature vector sequence into a second feature vector sequence based on the self-coding network and performing loss calculation, so as to train the industrial control protocol data anomaly detection model further includes: and adjusting parameters of the pre-training model and the self-coding network based on the loss calculation result, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.
In another general aspect, there is provided an anomaly detection method for industrial control protocol data, the anomaly detection method including: acquiring an industrial control protocol data stream to be detected, wherein the industrial control protocol data stream to be detected is data expressed in hexadecimal; taking the industrial control protocol data stream to be detected as input, and performing loss calculation by using the industrial control protocol data anomaly detection model obtained by the training method; and determining that the industrial control protocol data stream to be detected is an abnormal data stream based on the fact that the loss value obtained by the loss calculation is larger than a preset threshold value.
In another general aspect, there is provided a training apparatus for an industrial control protocol data anomaly detection model, the industrial control protocol data anomaly detection model including a combinatorial coding module, a pre-training model, and a self-coding network, wherein the training apparatus includes: the data acquisition unit is configured to acquire an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal; the combined coding unit is configured to bind every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and convert the combined code into an index value, so as to obtain an index sequence; a vector representation unit configured to convert the index sequence into a first feature vector sequence based on the pre-training model; and the network training unit is configured to convert the first characteristic vector sequence into a second characteristic vector sequence and perform loss calculation based on the self-coding network, so as to train the industrial control protocol data anomaly detection model.
Optionally, the industrial control protocol data stream includes a first number of hexadecimal numbers, and the index sequence includes a second number of index values, where the first number is 2 times the second number.
Optionally, the combined encoding unit is configured to: binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code to obtain a sample sequence, wherein the sample sequence comprises a second number of combined codes; converting the sample sequence into an index sequence by converting the combined codes in the sample sequence into index values based on a preset index dictionary library, wherein each index value in the index dictionary library corresponds to one combined code.
Optionally, the index dictionary database includes 256 index values and corresponding relations of the combined codes.
Optionally, the vector representation unit is configured to: converting the index sequence into a first feature vector sequence by converting the index values in the index sequence into feature vectors based on the pre-training model, wherein each index value is converted into a feature vector with preset dimensionality, and the first feature vector sequence comprises a second quantity of feature vectors.
Optionally, the network training unit is configured to: based on the self-coding network, performing dimensionality reduction compression and decoding reduction on each feature vector in the first feature vector sequence to obtain a second feature vector sequence, wherein the second feature vector sequence comprises a second number of feature vectors with preset dimensionality; and performing loss calculation on the industrial control protocol data anomaly detection model based on the first characteristic vector sequence and the second characteristic vector sequence.
Optionally, the network training unit is configured to: performing dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder; and decoding and restoring each feature vector after dimension reduction compression based on the decoder to obtain a second feature vector sequence.
Optionally, the network training unit is configured to: and adjusting parameters of the pre-training model and the self-coding network based on the loss calculation result, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.
In another general aspect, there is provided a computer readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements a training method of an industrial control protocol data anomaly detection model as described above or an anomaly detection method of industrial control protocol data as described above.
In another general aspect, there is provided a computing device, comprising: a processor; and a memory storing a computer program that, when executed by the processor, implements the method for training the industrial control protocol data anomaly detection model or the method for detecting the industrial control protocol data anomaly as described above.
According to the training method and the training device for the industrial control protocol data anomaly detection model, a new coding mode can be applied to the training of the industrial control protocol data anomaly detection model, heavy manual design participation is not needed, namely, data labels are not needed, data streams are not needed to be analyzed additionally, the trained model has good identification performance for the industrial control protocol data, and anomalies in the industrial control protocol data can be identified efficiently and accurately. In addition, according to the training method and the training device for the industrial control protocol data anomaly detection model, the anomaly detection is performed on the industrial control protocol data according to the model trained by the training device, not only can the intentional damage be effectively prevented, but also the correctness of the message data can be ensured.
Additional aspects and/or advantages of the present general inventive concept will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the general inventive concept.
Drawings
The above and other objects and features of the embodiments of the present disclosure will become more apparent from the following description taken in conjunction with the accompanying drawings illustrating embodiments, in which:
FIG. 1 is a flow diagram illustrating a method of training an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure;
FIG. 2 is an illustrative diagram showing an industrial control protocol data processing procedure in accordance with an embodiment of the disclosure;
FIG. 3 is a loss plot illustrating an industrial control protocol data anomaly detection model training process according to an embodiment of the present disclosure;
FIG. 4 is a flow chart illustrating a method of anomaly detection of industrial control protocol data according to an embodiment of the present disclosure;
FIG. 5 is a block diagram illustrating a training apparatus for an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure;
fig. 6 is a block diagram illustrating a computing device according to an embodiment of the present disclosure.
Detailed Description
The following detailed description is provided to assist the reader in obtaining a thorough understanding of the methods, devices, and/or systems described herein. However, various changes, modifications, and equivalents of the methods, apparatus, and/or systems described herein will be apparent to those skilled in the art after reviewing the disclosure of the present application. For example, the order of operations described herein is merely an example, and is not limited to those set forth herein, but may be changed as will become apparent after understanding the disclosure of the present application, except to the extent that operations must occur in a particular order. Moreover, descriptions of features known in the art may be omitted for clarity and conciseness.
The features described herein may be embodied in different forms and should not be construed as limited to the examples described herein. Rather, the examples described herein have been provided to illustrate only some of the many possible ways to implement the methods, devices, and/or systems described herein, which will be apparent after understanding the disclosure of the present application.
As used herein, the term "and/or" includes any one of the associated listed items and any combination of any two or more.
Although terms such as "first", "second", and "third" may be used herein to describe various elements, components, regions, layers or sections, these elements, components, regions, layers or sections should not be limited by these terms. Rather, these terms are only used to distinguish one element, component, region, layer or section from another element, component, region, layer or section. Thus, a first element, component, region, layer or section referred to in the examples described herein could also be referred to as a second element, component, region, layer or section without departing from the teachings of the examples.
In the specification, when an element (such as a layer, region or substrate) is described as being "on," "connected to" or "coupled to" another element, it can be directly on, connected to or coupled to the other element or one or more other elements may be present therebetween. In contrast, when an element is referred to as being "directly on," "directly connected to," or "directly coupled to" another element, there may be no intervening elements present.
The terminology used herein is for the purpose of describing various examples only and is not intended to be limiting of the disclosure. The singular is also intended to include the plural unless the context clearly indicates otherwise. The terms "comprises," "comprising," and "having" specify the presence of stated features, quantities, operations, elements, components, and/or combinations thereof, but do not preclude the presence or addition of one or more other features, quantities, operations, components, elements, and/or combinations thereof.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs after understanding the present disclosure. Unless explicitly defined as such herein, terms (such as those defined in general dictionaries) should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and should not be interpreted in an idealized or overly formal sense.
Further, in the description of the examples, when it is considered that detailed description of well-known related structures or functions will cause a vague explanation of the present disclosure, such detailed description will be omitted.
According to the training method and the training device for the industrial control protocol data anomaly detection model, a new coding mode can be applied to the training of the industrial control protocol data anomaly detection model, heavy manual design participation is not needed, namely, data labels are not needed, data streams are not needed to be analyzed additionally, the trained model has good identification performance for the industrial control protocol data, and anomalies in the industrial control protocol data can be identified efficiently and accurately.
A method and an apparatus for training an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure will be described in detail below with reference to fig. 1 to 5. Here, the industrial control protocol data anomaly detection model may include a combinatorial coding module, a pre-training model, and a self-coding network.
FIG. 1 is a flow chart illustrating a training method of an industrial control protocol data anomaly detection model according to an embodiment of the disclosure.
Referring to fig. 1, in step S101, an industrial control protocol data stream may be acquired. Here, the industrial control protocol data stream may be data in hexadecimal representation. In particular, the industrial control protocol data stream may include data streams under various communication protocols (e.g., FTP protocol, TCP protocol, UDP protocol, etc.), each of which transports messages to each other, represented by hexadecimal data streams. Further, the industrial control protocol data stream may include a first number of hexadecimal numbers. Further, the first number may be an even number, and the numerical value of the first number may be set by a worker skilled in the art according to the actual situation. In addition, when the length of the obtained industrial control protocol data stream is less than the first quantity, data filling can be carried out by workers in the field according to the actual situation; when the length of the obtained industrial control protocol data stream exceeds the first number, data truncation can be performed by workers in the field according to actual conditions, so that the length of the industrial control protocol data stream is fixed to the first number.
Next, in step S102, each two adjacent hexadecimal numbers in the industrial control protocol data stream may be bound to be a combined code based on the combined coding module, and the combined code is converted into an index value, so as to obtain an index sequence. Here, the index sequence may include a second number of index values. Further, the first number as described above may be 2 times the second number.
According to the embodiment of the disclosure, the sample sequence can be obtained by binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code. Here, the sample sequence may include a second number of combined codes. Then, the combined code in the sample sequence may be converted into an index value based on a preset index dictionary library, thereby converting the sample sequence into an index sequence. Here, each index value in the index dictionary base corresponds to one combined code. Further, the index dictionary repository may include 256 index value and combination code correspondences. Further, the specific correspondence between the index value in the index dictionary library and the combined code can be set by those skilled in the art according to actual situations.
Next, in step S103, the index sequence may be converted into a first feature vector sequence based on the pre-training model. Here, the pre-trained model (pre-trained model) is a model obtained by unsupervised learning or unsupervised learning, and data can be expressed as feature vectors (features). As an example, the pre-training model may be a BERT model.
According to an embodiment of the present disclosure, index values in an index sequence may be converted into feature vectors based on a pre-training model, thereby converting the index sequence into a first feature vector sequence. Here, each index value may be individually converted into a feature vector of a preset dimension, and the first feature vector sequence may include a second number of feature vectors. Further, the numerical value of the preset dimension can be set by a worker in the field according to the actual situation.
Next, in step S104, the first eigenvector sequence may be converted into a second eigenvector sequence based on the self-coding network and loss calculation may be performed, so as to train the industrial control protocol data anomaly detection model. Here, the self-coded network may be a Fully connected neural network (FCN) for deep learning.
According to the embodiment of the disclosure, each feature vector in the first feature vector sequence can be subjected to dimensionality reduction compression and decoding reduction based on a self-coding network, so as to obtain a second feature vector sequence. Here, the second feature vector sequence includes a second number of feature vectors of a preset dimension.
According to an embodiment of the present disclosure, a self-encoding network may include an Encoder (Encoder) and a Decoder (Decoder). The encoder can compress the characteristic vector, essentially reduces the dimension of the characteristic vector, and can reduce the noise of the data in a dimension reduction way; the decoder can perform decoding operation on the feature vector with reduced dimension, that is, restore the feature vector with original dimension, at this time, the new feature vector can be used as noise-free data. As an example, the self-encoding network may be an AutoEncoder model that includes self-supervised learning of the encoder and decoder. On the basis, each feature vector in the first feature vector sequence can be subjected to dimension reduction compression based on an encoder, and each feature vector subjected to dimension reduction compression can be decoded and restored based on a decoder, so that a second feature vector sequence is obtained.
Next, according to an embodiment of the present disclosure, a loss calculation may be performed on the industrial control protocol data anomaly detection model based on the first eigenvector sequence and the second eigenvector sequence. Here, the model loss (model loss) may be calculated by calculating a Mean Square Error (MSE) between the first eigenvector sequence and the second eigenvector sequence, but is not limited thereto, and a person skilled in the art may determine a loss function of the model according to actual circumstances.
Next, according to an embodiment of the present disclosure, parameters of the pre-training model and the self-coding network may be adjusted based on a result of the loss calculation, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets a preset requirement. The industrial control protocol data anomaly detection model carries out loss calculation according to the first characteristic vector sequence and the second characteristic vector sequence, namely according to the input and the output of the self-coding network, then the loss calculation result is propagated reversely to adjust parameters in the model, finally the model learns the format of a normal data stream, and anomalies or noises in the data stream are abandoned. Further, the preset requirement that the second feature vector sequence needs to satisfy may be consistent with or close to the first feature vector sequence, i.e. the final convergence of the result of the loss calculation. The industrial control protocol data processing procedure according to an embodiment of the present disclosure is described in detail below with reference to fig. 2.
Fig. 2 is an explanatory diagram illustrating an industrial control protocol data processing procedure according to an embodiment of the present disclosure.
Referring to fig. 2, as an example, for an industrial control protocol data stream "8 c1645976363 …" represented by hexadecimal with a data length of 2n, binding every two adjacent hexadecimal numbers thereof may obtain "8 c1645976363 …". Then, the combined codes of 8c, 16, 45, 97, 63, etc. are mapped one to one according to the index dictionary library as described above, and then converted into an index sequence (not shown in fig. 2) as shown in "222, 34, 56, 74, 69, 69 …". Next, the index sequence is converted into a first feature vector sequence [ x1, x2, x3, x4, x5 … ] by the pre-training model as described above. Next, each eigenvector in the first eigenvector sequence is input into the self-coding network as described above, in the process, the m-dimensional eigenvector is subjected to dimension reduction compression by the encoder, and is converted into a new m-dimensional eigenvector after being decoded and restored by the decoder, and finally, the second eigenvector sequence [ y1, y2, y3, y4, y5 … ] is output from the self-coding network. The loss curve of the industrial control protocol data anomaly detection model training process according to the embodiment of the disclosure is described in detail below with reference to fig. 3.
FIG. 3 is a loss plot illustrating an industrial control protocol data anomaly detection model training process according to an embodiment of the present disclosure.
Referring to fig. 3, as an example, the abscissa represents a value of a training period (epoch), the ordinate represents a value of a mean square error (mse), a curve train is a training set data loss curve, and a curve val is a verification set data loss curve. As shown in fig. 3, in the training process of the model, as the number of iterations increases, the mean square error loss of the model gradually decreases, and finally the model learns the format of the normal data stream, and discards the anomaly or noise in the data stream. Here, a person skilled in the art may take a model with a relatively good validation set effect as a final industrial control protocol data anomaly detection model, and then perform anomaly detection by using the industrial control protocol data anomaly detection model. An anomaly detection method for industrial control protocol data according to an embodiment of the present disclosure is described in detail below with reference to fig. 4.
Fig. 4 is a flowchart illustrating an anomaly detection method for industrial control protocol data according to an embodiment of the present disclosure.
Referring to fig. 4, in step S401, an industrial control protocol data stream to be detected may be acquired. Here, the industrial control protocol data stream to be detected is data expressed in hexadecimal.
Next, in step S402, the industrial control protocol data stream to be detected may be used as an input, and the loss calculation may be performed by using the industrial control protocol data anomaly detection model obtained by the training method of the industrial control protocol data anomaly detection model according to the embodiment of the present disclosure.
Next, in step S403, it may be determined that the industrial control protocol data stream to be detected is an abnormal data stream based on that the loss value obtained by the loss calculation is greater than the preset threshold. Here, the loss calculation may be performed by calculating a mean square error as described above. Because the trained model learns the format of the normal data stream, when the industrial control protocol data stream to be detected is provided as the input of the model, the model can abandon the abnormity or noise in the data stream, thereby outputting the normal data. Further, the preset threshold may be set to 0.13, that is, when the loss value is greater than 0.13, it is determined that the industrial control protocol data stream to be detected is an abnormal data stream. In addition, the numerical value of the preset threshold value can also be set by those skilled in the art according to actual situations.
According to the training method of the industrial control protocol data anomaly detection model, the new coding mode is applied to the training of the industrial control protocol data anomaly detection model, and the trained model can accurately identify the anomaly of the industrial control protocol data under the condition of no label. In addition, the industrial control protocol data anomaly detection method can quickly and accurately detect the industrial control protocol data anomaly, not only can effectively prevent deliberate damage, but also can ensure the correctness of message data.
FIG. 5 is a block diagram illustrating a training apparatus of an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure. The training device of the industrial control protocol data anomaly detection model according to the embodiment of the disclosure can be realized in a computing device with enough computing capability.
Referring to fig. 5, a training apparatus 500 of an industrial control protocol data anomaly detection model according to an embodiment of the present disclosure may include a data acquisition unit 510, a combinatorial coding unit 520, a vector representation unit 530, and a network training unit 540. Here, the industrial control protocol data anomaly detection model may include a combinatorial coding module, a pre-training model, and a self-coding network.
Data acquisition unit 510 may acquire an industrial control protocol data stream. As described above, an industrial control protocol data stream is data in hexadecimal representation.
The combined encoding unit 520 may bind every two adjacent hexadecimal numbers in the industrial control protocol data stream to a combined code based on the combined encoding module, and convert the combined code into an index value, thereby obtaining an index sequence.
Alternatively, as described above, the industrial control protocol data stream may include a first number of hexadecimal numbers and the index sequence may include a second number of index values. Here, the first number may be 2 times the second number.
The combined encoding unit 520 may obtain the sample sequence by binding every two adjacent hexadecimal numbers in the industrial control protocol data stream to a combined code. Here, the sample sequence may include a second number of combined codes.
The combined encoding unit 520 may convert the sample sequence into an index sequence by converting the combined code in the sample sequence into an index value based on a preset index dictionary library. Here, each index value in the index dictionary base may correspond to one combined code.
Alternatively, as described above, the index dictionary repository may include 256 index value-to-combined code correspondences.
The vector representation unit 530 may convert the index sequence into a first feature vector sequence based on a pre-training model.
Alternatively, the vector representation unit 530 may convert the index sequence into the first feature vector sequence by converting the index values in the index sequence into the feature vectors based on the pre-trained model. Here, each index value may be individually converted into a feature vector of a preset dimension, and the first feature vector sequence may include a second number of feature vectors.
The network training unit 540 may convert the first eigenvector sequence into a second eigenvector sequence based on the self-coding network and perform loss calculation, thereby training the industrial control protocol data anomaly detection model.
The network training unit 540 may perform dimension reduction compression and decoding restoration on each feature vector in the first feature vector sequence based on the self-coding network, thereby obtaining a second feature vector sequence. Here, the second feature vector sequence may include a second number of feature vectors of preset dimensions. Alternatively, the self-encoding network may include an encoder and a decoder, and the network training unit 540 may perform dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder; and decoding and restoring each feature vector after dimension reduction compression based on a decoder so as to obtain a second feature vector sequence.
The network training unit 540 may perform loss calculation on the industrial control protocol data anomaly detection model based on the first feature vector sequence and the second feature vector sequence.
The network training unit 540 may further adjust parameters of the pre-training model and the self-coding network based on the result of the loss calculation, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.
Fig. 6 is a block diagram illustrating a computing device according to an embodiment of the present disclosure.
Referring to fig. 6, a computing device 600 according to an embodiment of the disclosure may include a processor 610 and a memory 620. The processor 610 may include, but is not limited to, a Central Processing Unit (CPU), a Digital Signal Processor (DSP), a microcomputer, a Field Programmable Gate Array (FPGA), a system on a chip (SoC), a microprocessor, an Application Specific Integrated Circuit (ASIC), and the like. The memory 620 stores computer programs to be executed by the processor 610. Memory 620 includes high speed random access memory and/or non-volatile computer-readable storage media. When processor 610 executes the computer program stored in memory 620, the method of training the industrial control protocol data anomaly detection model described above or the method of anomaly detection of industrial control protocol data described above may be implemented.
The training method of the industrial control protocol data abnormality detection model according to the embodiment of the present disclosure or the abnormality detection method of the industrial control protocol data according to the embodiment of the present disclosure may be written as a computer program and stored on a computer-readable storage medium. When executed by a processor, the computer program can implement the training method of the industrial control protocol data abnormity detection model or the industrial control protocol data abnormity detection method. Examples of computer-readable storage media include: read-only memory (ROM), random-access programmable read-only memory (PROM), electrically erasable programmable read-only memory (EEPROM), random-access memory (RAM), dynamic random-access memory (DRAM), static random-access memory (SRAM), flash memory, non-volatile memory, CD-ROM, CD-R, CD + R, CD-RW, CD + RW, DVD-ROM, DVD-R, DVD + R, DVD-RW, DVD + RW, DVD-RAM, BD-ROM, BD-R, BD-R LTH, BD-RE, Blu-ray or compact disc memory, Hard Disk Drive (HDD), solid-state drive (SSD), card-type memory (such as a multimedia card, a Secure Digital (SD) card or a extreme digital (XD) card), magnetic tape, a floppy disk, a magneto-optical data storage device, an optical data storage device, a hard disk, a magnetic tape, a magneto-optical data storage device, a hard disk, a magnetic tape, a magnetic data storage device, a magnetic tape, a magnetic data storage device, a magnetic tape, a magnetic data storage device, a magnetic tape, a magnetic data storage device, a magnetic tape, a magnetic data storage device, A solid state disk, and any other device configured to store and provide a computer program and any associated data, data files, and data structures to a processor or computer in a non-transitory manner such that the processor or computer can execute the computer program. In one example, the computer program and any associated data, data files, and data structures are distributed across networked computer systems such that the computer program and any associated data, data files, and data structures are stored, accessed, and executed in a distributed fashion by one or more processors or computers.
According to the training method and the training device for the industrial control protocol data anomaly detection model, a new coding mode can be applied to the training of the industrial control protocol data anomaly detection model, heavy manual design participation is not needed, namely, data labels are not needed, data streams are not needed to be analyzed additionally, the trained model has good identification performance for the industrial control protocol data, and anomalies in the industrial control protocol data can be identified efficiently and accurately. In addition, according to the training method and the training device for the industrial control protocol data anomaly detection model, the anomaly detection is performed on the industrial control protocol data according to the model trained by the training device, not only can the intentional damage be effectively prevented, but also the correctness of the message data can be ensured.
Although a few embodiments of the present disclosure have been shown and described, it would be appreciated by those skilled in the art that changes may be made in these embodiments without departing from the principles and spirit of the disclosure, the scope of which is defined in the claims and their equivalents.

Claims (9)

1. A training method for an industrial control protocol data anomaly detection model is characterized in that the industrial control protocol data anomaly detection model comprises a combined coding module, a pre-training model and a self-coding network, wherein the training method comprises the following steps:
acquiring an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal;
binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined coding module, and converting the combined code into an index value so as to obtain an index sequence, wherein the industrial control protocol data stream comprises a first number of hexadecimal numbers, the index sequence comprises a second number of index values, and the first number is 2 times of the second number;
converting the index sequence into a first feature vector sequence based on the pre-training model;
based on the self-coding network, converting the first characteristic vector sequence into a second characteristic vector sequence and performing loss calculation so as to train the industrial control protocol data anomaly detection model,
based on the combined coding module, binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code, and converting the combined code into an index value, so as to obtain an index sequence, wherein the step of obtaining the index sequence comprises:
binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code to obtain a sample sequence, wherein the sample sequence comprises a second number of combined codes; converting the sample sequence into an index sequence by converting the combined codes in the sample sequence into index values based on a preset index dictionary library, wherein each index value in the index dictionary library corresponds to one combined code,
wherein the step of converting the index sequence into a first feature vector sequence based on the pre-training model comprises:
converting the index sequence into a first feature vector sequence by converting the index values in the index sequence into feature vectors based on the pre-training model, wherein each index value is converted into a feature vector with preset dimensionality, and the first feature vector sequence comprises a second quantity of feature vectors.
2. The training method of claim 1, wherein the index dictionary base includes 256 kinds of correspondence relationships between index values and combination codes.
3. The training method of claim 1, wherein the step of converting the first feature vector sequence into a second feature vector sequence and performing loss calculation based on the self-coding network, so as to train the industrial control protocol data anomaly detection model comprises:
based on the self-coding network, performing dimensionality reduction compression and decoding reduction on each feature vector in the first feature vector sequence to obtain a second feature vector sequence, wherein the second feature vector sequence comprises a second number of feature vectors with preset dimensionality;
and performing loss calculation on the industrial control protocol data anomaly detection model based on the first characteristic vector sequence and the second characteristic vector sequence.
4. The training method of claim 3, wherein the self-coding network comprises an encoder and a decoder, and wherein the step of performing dimension reduction compression and decoding recovery on each feature vector in the first feature vector sequence based on the self-coding network to obtain a second feature vector sequence comprises:
performing dimension reduction compression on each feature vector in the first feature vector sequence based on the encoder;
and decoding and restoring each feature vector after dimension reduction compression based on the decoder to obtain a second feature vector sequence.
5. The training method of claim 4, wherein the step of converting the first feature vector sequence into a second feature vector sequence and performing loss calculation based on the self-coding network, so as to train the industrial control protocol data anomaly detection model further comprises:
and adjusting parameters of the pre-training model and the self-coding network based on the loss calculation result, so that the second feature vector sequence output by the industrial control protocol data anomaly detection model meets the preset requirement.
6. An anomaly detection method for industrial control protocol data is characterized by comprising the following steps:
acquiring an industrial control protocol data stream to be detected, wherein the industrial control protocol data stream to be detected is data expressed in hexadecimal;
taking the industrial control protocol data stream to be detected as input, and performing loss calculation by using an industrial control protocol data anomaly detection model obtained by the training method according to any one of claims 1 to 5;
and determining that the industrial control protocol data stream to be detected is an abnormal data stream based on the fact that the loss value obtained by the loss calculation is larger than a preset threshold value.
7. The training device for the industrial control protocol data anomaly detection model is characterized in that the industrial control protocol data anomaly detection model comprises a combined coding module, a pre-training model and a self-coding network, wherein the training device comprises:
the data acquisition unit is configured to acquire an industrial control protocol data stream, wherein the industrial control protocol data stream is data expressed in hexadecimal;
the combined encoding unit is configured to bind every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code based on the combined encoding module, and convert the combined code into an index value so as to obtain an index sequence, wherein the industrial control protocol data stream comprises a first number of hexadecimal numbers, the index sequence comprises a second number of index values, and the first number is 2 times of the second number;
a vector representation unit configured to convert the index sequence into a first feature vector sequence based on the pre-training model;
a network training unit configured to convert the first feature vector sequence into a second feature vector sequence based on the self-coding network and perform loss calculation, so as to train the industrial control protocol data anomaly detection model,
wherein the combined encoding unit is further configured to: binding every two adjacent hexadecimal numbers in the industrial control protocol data stream into a combined code to obtain a sample sequence, wherein the sample sequence comprises a second number of combined codes; converting the sample sequence into an index sequence by converting the combined codes in the sample sequence into index values based on a preset index dictionary library, wherein each index value in the index dictionary library corresponds to one combined code,
wherein the vector representation unit is further configured to: converting the index sequence into a first feature vector sequence by converting the index values in the index sequence into feature vectors based on the pre-training model, wherein each index value is converted into a feature vector with preset dimensionality, and the first feature vector sequence comprises a second quantity of feature vectors.
8. A computer-readable storage medium storing a computer program, wherein the computer program, when executed by a processor, implements a method for training an industrial control protocol data anomaly detection model according to any one of claims 1 to 5 or a method for anomaly detection of industrial control protocol data according to claim 6.
9. A computing device, the computing device comprising:
a processor; and
a memory storing a computer program which, when executed by the processor, implements a method of training an industrial control protocol data anomaly detection model according to any one of claims 1 to 5 or a method of anomaly detection of industrial control protocol data according to claim 6.
CN202111337679.XA 2021-11-12 2021-11-12 Training method and training device for industrial control protocol data anomaly detection model Active CN113779045B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111337679.XA CN113779045B (en) 2021-11-12 2021-11-12 Training method and training device for industrial control protocol data anomaly detection model

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111337679.XA CN113779045B (en) 2021-11-12 2021-11-12 Training method and training device for industrial control protocol data anomaly detection model

Publications (2)

Publication Number Publication Date
CN113779045A CN113779045A (en) 2021-12-10
CN113779045B true CN113779045B (en) 2022-02-22

Family

ID=78957032

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111337679.XA Active CN113779045B (en) 2021-11-12 2021-11-12 Training method and training device for industrial control protocol data anomaly detection model

Country Status (1)

Country Link
CN (1) CN113779045B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116662184B (en) * 2023-06-05 2024-01-30 福建师范大学 Industrial control protocol fuzzy test case screening method and system based on Bert

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140215094A1 (en) * 2013-01-29 2014-07-31 Anders Nordin Method and system for data compression
US11777963B2 (en) * 2017-02-24 2023-10-03 LogRhythm Inc. Analytics for processing information system data
CN109495920B (en) * 2017-09-13 2022-03-29 中国移动通信集团设计院有限公司 Wireless communication network feature imaging method, equipment and computer program product
CN108985330B (en) * 2018-06-13 2021-03-26 华中科技大学 Self-coding network and training method thereof, and abnormal power utilization detection method and system
CN110719250B (en) * 2018-07-13 2021-07-06 中国科学院沈阳自动化研究所 Powerlink industrial control protocol anomaly detection method based on PSO-SVDD
CN111539769A (en) * 2020-04-27 2020-08-14 支付宝(杭州)信息技术有限公司 Training method and device of anomaly detection model based on differential privacy
CN112804270B (en) * 2021-04-15 2021-06-18 工业信息安全(四川)创新中心有限公司 General industrial protocol anomaly detection module and method based on self-encoding
CN113395276B (en) * 2021-06-10 2022-07-26 广东为辰信息科技有限公司 Network intrusion detection method based on self-encoder energy detection

Also Published As

Publication number Publication date
CN113779045A (en) 2021-12-10

Similar Documents

Publication Publication Date Title
TWI764640B (en) Training method and device for anomaly detection model based on differential privacy
CA2691659A1 (en) Monitoring web service transactions
AU2019275633B2 (en) System and method of automated fault correction in a network environment
CN108846660B (en) Method and system for identifying abnormal fund
CN103036730A (en) Method and device for achieving safety testing on protocol implementation
CN114218403A (en) Fault root cause positioning method, device, equipment and medium based on knowledge graph
CN113381962B (en) Data processing method, device and storage medium
Battaglia et al. Outlier detection and estimation in nonlinear time series
CN113779045B (en) Training method and training device for industrial control protocol data anomaly detection model
CN111984511B (en) Multi-model disk fault prediction method and system based on two-classification
CN112511546A (en) Vulnerability scanning method, device, equipment and storage medium based on log analysis
CN111030992A (en) Detection method, server and computer readable storage medium
JP2019070965A (en) Learning device, learning method, and program
CN113792820B (en) Countermeasure training method and device for user behavior log anomaly detection model
CN117472679A (en) Anomaly detection method and system combining data flow and control flow drift discovery
CN117196064A (en) Model training method, object attribute value determining method, device, equipment and medium
CN116827656A (en) Network information safety protection system and method thereof
CN111427328B (en) Method for reducing household system faults
CN110990810B (en) User operation data processing method, device, equipment and storage medium
CN115391224A (en) Flow playback method and device, computer equipment and readable storage medium
CN114548178A (en) Elevator fault detection method and device, computer equipment and storage medium
Yazdi et al. An optimization model for designing acceptance sampling plan based on cumulative count of conforming run length using minimum angle method
CN109947728B (en) Log file processing method and device
CN112597498A (en) Webshell detection method, system and device and readable storage medium
CN115545935B (en) Block chain transaction account processing method and device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant