CN116628554B - Industrial Internet data anomaly detection method, system and equipment - Google Patents
Industrial Internet data anomaly detection method, system and equipment Download PDFInfo
- Publication number
- CN116628554B CN116628554B CN202310627119.0A CN202310627119A CN116628554B CN 116628554 B CN116628554 B CN 116628554B CN 202310627119 A CN202310627119 A CN 202310627119A CN 116628554 B CN116628554 B CN 116628554B
- Authority
- CN
- China
- Prior art keywords
- characteristic
- node
- risk level
- initial
- aggregation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims description 19
- 230000002159 abnormal effect Effects 0.000 claims abstract description 59
- 238000004220 aggregation Methods 0.000 claims abstract description 55
- 230000002776 aggregation Effects 0.000 claims abstract description 55
- 238000012545 processing Methods 0.000 claims abstract description 19
- 238000000034 method Methods 0.000 claims abstract description 17
- 238000004891 communication Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 9
- 238000007781 pre-processing Methods 0.000 claims description 6
- 230000003044 adaptive effect Effects 0.000 claims description 5
- 230000005856 abnormality Effects 0.000 claims description 4
- 238000006116 polymerization reaction Methods 0.000 claims description 4
- 238000002372 labelling Methods 0.000 claims description 3
- 238000003860 storage Methods 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 5
- 206010000117 Abnormal behaviour Diseases 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 230000019771 cognition Effects 0.000 description 1
- 230000010485 coping Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000009776 industrial production Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000003062 neural network model Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
- 238000000547 structure data Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/901—Indexing; Data structures therefor; Storage structures
- G06F16/9024—Graphs; Linked lists
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/213—Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Cheminformatics (AREA)
- Evolutionary Computation (AREA)
- Artificial Intelligence (AREA)
- Databases & Information Systems (AREA)
- Bioinformatics & Computational Biology (AREA)
- Computer Security & Cryptography (AREA)
- Evolutionary Biology (AREA)
- Life Sciences & Earth Sciences (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to the technical field of industrial Internet security, in particular to a method, a system and equipment for detecting industrial Internet data anomalies, which are used for acquiring node data from an industrial Internet, converting the node data into a topological graph, carrying out aggregation processing on initial features extracted from the topological graph to obtain aggregation features with strong relevance, simultaneously obtaining self-adaptive parameters based on feature deviation of the aggregation features and the initial features to avoid excessive relevance of the aggregation features, carrying out weighting processing on the aggregation features and the initial features by using the self-adaptive parameters to obtain normal node features with better expression performance and stronger relevance, obtaining feature difference weight ratio capable of reflecting abnormal data content in the nodes by comparing the relevance strength of the normal node features and the initial features, and immediately carrying out different communication authority processing on an industrial Internet platform according to different risk grades of the corresponding nodes so as to maintain the safety of the industrial Internet.
Description
Technical Field
The application relates to the technical field of industrial Internet security, in particular to a method, a system and equipment for detecting industrial Internet data abnormality.
Background
In the wave of industry development, internet security is one of the important factors affecting the wide use of industrial internet. In fact, the security of industrial internet platform data is often poor and is easily targeted by an attacker. The industrial Internet is a combination of a traditional industrial control system and an Internet technology, and the Internet technology breaks through a traditional industrial information safety protection mode while providing convenience for the industrial control system, so that inherent network safety risks of the Internet are inevitably introduced into the industrial Internet. Compared with the traditional Internet, the characteristics of the industrial Internet are more complicated, the related equipment is of a plurality of types, the network points are distributed more densely, and the protocol is relatively fragile, so that more security risks are caused.
In recent years, industrial internet security events are frequent, if an industrial internet data security and credibility exchange sharing comprehensive service platform is subjected to abnormal attack, serious influence is generated on normal operation of industrial production, serious security accidents can be caused, and huge economic loss and serious social influence are generated in the whole industrial field. Therefore, the industrial Internet safety protection is enhanced, and abnormal behaviors in the network are found and processed in time, so that the method is very important for guaranteeing the healthy operation of the industrial Internet.
In the industrial internet, due to the massive, high-dimensional and nonlinear feature extraction requirements of network data, the conventional network abnormal behavior discovery technology has become no longer applicable. The main problems of the technology are low accuracy, high false alarm rate, high missing report rate and the like. Traditional rule-based detection methods are no longer practical because specialized security personnel are required to analyze and extract features from the data and are not able to cope with unknown security risks. In addition, the expert system knowledge base is continuously perfected mainly depending on the change of expert cognition, so that the method is limited by expert level and is difficult to adapt to the current industrial Internet environment. The abnormal behavior discovery method based on the statistical method does not need to be updated and maintained continuously, but cannot perform real-time abnormal behavior discovery, and is complex in calculation under the condition of large data volume, so that the time consumption is high. Although the existing anomaly detection technology can detect partial databases, no effective solution detection and solution for coping with security risks such as data attack exist yet.
Disclosure of Invention
The application provides a method, a system and equipment for detecting industrial Internet data anomalies.
The technical scheme of the application is as follows:
the industrial Internet data anomaly detection method comprises the following operations:
s1, acquiring data of nodes, and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
s2, obtaining an aggregation feature after feature processing based on the initial feature in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
s3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
and S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
The operation of obtaining the polymerization characteristic in S2 specifically includes:
and carrying out iterative updating on the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics.
In the above detection method, the operation of obtaining the adaptive parameter in S2 specifically includes: and acquiring the characteristic deviation of the aggregation characteristic and the initial characteristic, wherein the characteristic deviation is combined with the step length and the balance parameter to obtain the self-adaptive parameter.
The operation of obtaining the normal node characteristic in S2 specifically includes: and weighting the aggregate characteristic and the initial characteristic based on the self-adaptive parameter to obtain the normal node characteristic.
In the above detection method, the operation of obtaining the abnormal data risk level of the node in S3 specifically includes:
if the characteristic difference weight ratio is smaller than a first threshold value, the risk level of the abnormal data of the corresponding node is a first risk level;
if the characteristic difference weight ratio is not smaller than the first threshold value and not larger than the second threshold value, the abnormal data risk level of the corresponding node is a second risk level;
if the characteristic difference weight ratio is larger than the second threshold value and smaller than the third threshold value, the abnormal data risk level of the corresponding node is a third risk level;
and if the characteristic difference weight is not smaller than the third threshold value, the risk level of the abnormal data of the corresponding node is a fourth risk level.
If the abnormal data risk level of the node is a first risk level, opening all communication authorities of the corresponding nodes;
if the abnormal data risk level of the node is the second risk level, the corresponding node can only communicate with the node of the first risk level;
if the abnormal data risk level of the node is a third risk level, delaying the time of the corresponding node entering the industrial Internet, and detecting the corresponding node for multiple times in a preset period;
and if the abnormal data risk level of the node is the fourth risk level, eliminating the corresponding node from the industrial Internet.
The detection method as described above, before the operation of converting the data into the heterogram in S1, further includes preprocessing the data, where the preprocessing includes sequentially digitizing, normalizing and labeling the data.
A system for detecting anomalies in industrial internet data, comprising:
the topological graph generation module is used for acquiring data of the nodes and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
the normal node characteristic generating module is used for obtaining an aggregation characteristic after characteristic processing based on the initial characteristic in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
the abnormal data risk level generation module is used for comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
and the communication authority updating module is used for updating the communication authority of the corresponding node based on the abnormal data risk level.
The industrial Internet platform running equipment based on the blockchain comprises a processor and a memory, wherein the processor realizes the detection method of the industrial Internet data abnormality when executing the computer program stored in the memory.
A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a method for detecting an industrial internet data anomaly as described above.
The application has the beneficial effects that:
the application provides a detection system for industrial Internet data anomalies, which is characterized in that node data is obtained from an industrial Internet, the node data is converted into a topological graph, initial features extracted from the topological graph are subjected to aggregation processing to obtain aggregation features with strong relevance, meanwhile, in order to avoid excessive relevance of the aggregation features, self-adaptive parameters are obtained based on feature deviation of the aggregation features and the initial features, the self-adaptive parameters are used for carrying out weighted processing on the aggregation features and the initial features to obtain normal node features with better expression performance and stronger relevance, the feature difference weight ratio capable of reflecting the content of the abnormal data in the nodes is obtained by comparing the relevance strength of the normal node features and the initial features, different risk grades of corresponding nodes are obtained according to the feature difference weight ratio, and an industrial Internet platform immediately carries out different communication authority processing to maintain the safety of the industrial Internet.
Drawings
The aspects and advantages of the present application will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application.
In the drawings:
FIG. 1 is a flow chart of a detection method in an embodiment;
FIG. 2 is a schematic diagram of a detection system according to an embodiment;
fig. 3 is a schematic structural diagram of a detection device in an embodiment.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings.
The embodiment provides a method for detecting industrial internet data anomalies, referring to fig. 1, including the following operations:
s1, acquiring data of nodes, and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
s2, obtaining an aggregation feature after feature processing based on the initial feature in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
s3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
and S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
S1, acquiring data of nodes, and converting the data into a heterogeneous graph; based on the heterogram, a topology is obtained.
And acquiring data of the nodes from the disclosed industrial Internet platform, constructing and processing the data by the graph to obtain a heterogeneous graph, and mapping and converting the heterogeneous graph into a topological graph. The method is convenient for data processing and improves the calculation efficiency by converting the data information into the topological graph which can be identified by the neural network model under the condition of ensuring that the data information is not lost.
The heterogeneous graph is represented by g= (V, E), V represents a node set in the heterogeneous graph, the nodes in the node set V include nodes with normal features and nodes with abnormal features, and E represents a set of edges formed between the nodes in the heterogeneous graph.
The embedding processing operation is preceded by preprocessing the data of the nodes, wherein the preprocessing comprises sequentially digitizing, normalizing and labeling the data of the nodes. The data is convenient to process after being sequentially digitized, standardized and normalized, the calculation efficiency is improved, and the labeled data can effectively describe the data form of the business entity, for example, the normal data and the abnormal data containing the characteristics of texts, images, audios and the like can be clearly described.
S2, obtaining an aggregation feature after feature processing based on initial features in the topological graph; balancing the difference between the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; and the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics.
The operation to obtain the polymerization characteristics is specifically: and carrying out iterative updating on the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics.
The specific formula is as follows:
for the purpose of aggregation characterization, +.>For the initial feature->UPDATE for domain node feature of node i l (. Cndot.) is an iterative update function, and l is the number of aggregation layers. In an industrial Internet platform, the proportion of abnormal features in nodes is generally smaller, so that the normal features of the nodes have the characteristic of strong relevance, the more the normal features of the nodes are, the more the number of edges between the normal features of the nodes and other nodes are, the stronger the relevance is, the neighborhood node features are aggregated in a repeated iteration mode, the normal features of the nodes have better relevance, high heterogeneity can be kept, and the abnormal data content of the nodes can be accurately identified by utilizing the characteristic.
The feature aggregation can help to improve the performance of normal feature aggregation in an abnormal feature environment, but if the number of model layers is increased, the performance of feature aggregation is poor under the circumstance that training precision is expected to be improved; the performance of the normal feature can be effectively improved through the increase of the layer number, the defect that the aggregation performance of the feature is reduced due to the fact that the layer number is too many is avoided, the performance of the residual connection is easy to reduce due to the existence of the abnormal feature, the excessive association of the aggregation feature is avoided in order to reduce the difference when the aggregation layer and the residual layer are associated, the aggregation feature and the initial feature are balanced, and the self-adaptive parameter which does not weaken the display capability of the abnormal feature in the node and can improve the association of the normal feature is obtained.
The operation of obtaining the adaptive parameters is specifically as follows: and acquiring the characteristic deviation of the aggregate characteristic and the initial characteristic, and combining the characteristic deviation with the step length and the balance parameter to obtain the self-adaptive parameter.
The specific formula is as follows:
ε i is self-adaptive parameter, delta is step length, gamma is balance parameter, gamma is 0,1],Is of polymeric character, (X) in ) i For the initial feature->Is the characteristic deviation. And the balance parameters are utilized to prevent the overlarge difference between the aggregation characteristics and the initial characteristics and the overlarge normal characteristic relevance in the aggregation characteristics, so that the accuracy of the result is prevented from being influenced.
The operation for obtaining the normal node characteristics is specifically as follows: and weighting the aggregate characteristic and the initial characteristic based on the self-adaptive parameter to obtain the normal node characteristic.
The specific formula is as follows:
X' i to balance out normal node characteristics after the expression of industrial Internet abnormal data i Is an adaptive parameter, (X) in ) i As an initial feature of the device,for aggregate features, i is a node. The linear combination of the input features and the aggregation features is adopted, the node features are weighted based on node residual error self-adaptive parameters, and the feature representation of the normal features is more consistent with the feature representation of the local neighbors than the abnormal features according to the homogeneity assumption of the graph structure data, so that more residual errors are distributed, and therefore, the normal node features with better expression performance and stronger relevance can be obtained.
The characteristics of the nodes are extracted from the topological graph by using the graph embedding operation, the nodes in the topological graph are mapped to a low-dimensional vector space by the graph embedding operation, the relationship and the similarity among the nodes are reserved, and the accuracy of a processing result is facilitated.
S3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; and comparing the characteristic difference weight ratio with a threshold value to obtain the abnormal data risk level of the node.
And comparing the normal node characteristics with normal characteristics in the initial characteristics to obtain characteristic differences, and calculating the proportion of the characteristic differences to the initial characteristics to obtain the characteristic difference weight proportion. The larger the feature difference is, the larger the difference between the normal feature and the normal node feature in the initial feature is, the lower the normal feature association strength in the initial feature is, the more abnormal data is, and the greater the possibility of dangerous industrial Internet security is.
Comparing the characteristic difference weight ratio with the threshold value to obtain the abnormal data risk level of the node, wherein the abnormal data risk level is specifically as follows:
if the characteristic difference weight ratio is smaller than a first threshold value, the risk level of the abnormal data of the corresponding node is a first risk level;
if the characteristic difference weight ratio is not smaller than the first threshold value and not larger than the second threshold value, the risk level of the abnormal data of the corresponding node is a second risk level;
if the characteristic difference weight ratio is larger than the second threshold value and smaller than the third threshold value, the abnormal data risk level of the corresponding node is a third risk level;
if the feature difference weight is not smaller than the third threshold, the risk level of the abnormal data of the corresponding node is a fourth risk level.
The first threshold is 0.2, the second threshold is 0.4, the third threshold is 0.7, the first risk level is low risk, the second risk level is medium risk, the third risk level is medium and high risk, and the fourth risk level is high risk. And S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
If the abnormal data risk level of the node is the first risk level, opening all communication authorities of the corresponding nodes;
if the abnormal data risk level of the node is the second risk level, the corresponding node can only communicate with the node of the first risk level;
if the abnormal data risk level of the node is the third risk level, delaying the time of the corresponding node entering the industrial Internet, and detecting the corresponding node for a plurality of times in a preset period; the delay time is 5min, the preset period is 15 min, and the detection times are 2 times.
And if the abnormal data risk level of the node is the fourth risk level, eliminating the corresponding node from the industrial Internet.
The embodiment provides a detection system for industrial internet data anomaly, referring to fig. 2, including:
the topological graph generation module is used for acquiring data of the nodes and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
the normal node characteristic generating module is used for obtaining an aggregation characteristic after characteristic processing based on the initial characteristic in the topological graph; balancing the difference between the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
the abnormal data risk level generation module is used for comparing the normal node characteristics with the initial characteristics to obtain the characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain abnormal data risk level of the node;
and the communication authority updating module is used for updating the communication authority of the corresponding node based on the abnormal data risk level.
The embodiment provides a blockchain-based industrial internet platform running device, referring to fig. 3, which comprises a processor and a memory, wherein the processor implements the method for detecting industrial internet data anomalies when executing a computer program stored in the memory.
The present embodiment provides a computer readable storage medium for storing a computer program, where the computer program when executed by a processor implements a method for detecting an industrial internet data anomaly as described above.
The embodiment provides a detection system for industrial Internet data abnormality, which is characterized in that node data is obtained from an industrial Internet, the node data is converted into a topological graph, initial features extracted from the topological graph are subjected to aggregation processing to obtain aggregation features with strong relevance, meanwhile, in order to avoid excessive relevance of the aggregation features, self-adaptive parameters are obtained based on feature deviation of the aggregation features and the initial features, the aggregation features and the initial features are weighted by the self-adaptive parameters to obtain normal node features with better expression performance and stronger relevance, the feature difference weight ratio capable of reflecting abnormal data content in the nodes is obtained by comparing the relevance intensity of the normal node features and the initial features, different risk grades of corresponding nodes are obtained according to the feature difference weight ratio, and the industrial Internet platform immediately carries out different communication authority processing to maintain the safety of the industrial Internet.
Claims (8)
1. The method for detecting the industrial Internet data abnormality is characterized by comprising the following operations:
s1, acquiring data of nodes, and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
s2, obtaining an aggregation feature after feature processing based on the initial feature in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
the operation of obtaining the polymerization characteristics is specifically as follows: iteratively updating the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics;
the operation of obtaining the adaptive parameter is specifically: acquiring characteristic deviation of the aggregation characteristic and the initial characteristic, wherein the characteristic deviation is combined with a step length and a balance parameter to obtain the self-adaptive parameter;
s3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
the operation of obtaining the characteristic difference weight ratio is specifically as follows: comparing the normal node characteristics with normal characteristics in the initial characteristics to obtain characteristic differences, and calculating the proportion of the characteristic differences to the initial characteristics to obtain characteristic difference weight proportion;
and S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
2. The detection method according to claim 1, wherein the operation of obtaining the normal node characteristic in S2 is specifically: and weighting the aggregate characteristic and the initial characteristic based on the self-adaptive parameter to obtain the normal node characteristic.
3. The detection method according to claim 1, wherein the operation of obtaining the abnormal data risk level of the node in S3 is specifically:
if the characteristic difference weight ratio is smaller than a first threshold value, the risk level of the abnormal data of the corresponding node is a first risk level;
if the characteristic difference weight ratio is not smaller than the first threshold value and not larger than the second threshold value, the abnormal data risk level of the corresponding node is a second risk level;
if the characteristic difference weight ratio is larger than the second threshold value and smaller than the third threshold value, the abnormal data risk level of the corresponding node is a third risk level;
and if the characteristic difference weight is not smaller than the third threshold value, the risk level of the abnormal data of the corresponding node is a fourth risk level.
4. The method according to claim 3, wherein,
if the abnormal data risk level of the node is the first risk level, opening all communication authorities of the corresponding nodes;
if the abnormal data risk level of the node is the second risk level, the corresponding node can only communicate with the node of the first risk level;
if the abnormal data risk level of the node is a third risk level, delaying the time of the corresponding node entering the industrial Internet, and detecting the corresponding node for multiple times in a preset period;
and if the abnormal data risk level of the node is the fourth risk level, eliminating the corresponding node from the industrial Internet.
5. The method according to claim 1, wherein the step of converting the data into the heterogram in S1 further comprises preprocessing the data, and the preprocessing includes sequentially digitizing, normalizing and labeling the data.
6. A system for detecting anomalies in industrial internet data, comprising:
the topological graph generation module is used for acquiring data of the nodes and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
the normal node characteristic generating module is used for obtaining an aggregation characteristic after characteristic processing based on the initial characteristic in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics; the operation of obtaining the polymerization characteristics is specifically as follows: iteratively updating the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics; the operation of obtaining the adaptive parameter is specifically: acquiring characteristic deviation of the aggregation characteristic and the initial characteristic, wherein the characteristic deviation is combined with a step length and a balance parameter to obtain the self-adaptive parameter;
the abnormal data risk level generation module is used for comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node; the operation of obtaining the characteristic difference weight ratio is specifically as follows: comparing the normal node characteristics with normal characteristics in the initial characteristics to obtain characteristic differences, and calculating the proportion of the characteristic differences to the initial characteristics to obtain the characteristic difference weight proportion;
and the communication authority updating module is used for updating the communication authority of the corresponding node based on the abnormal data risk level.
7. An industrial internet platform running device based on a blockchain, comprising a processor and a memory, wherein the processor implements a method for detecting an industrial internet data anomaly according to any one of claims 1-5 when executing a computer program stored in the memory.
8. A computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements a method of detecting an industrial internet data anomaly as claimed in any one of claims 1 to 5.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310627119.0A CN116628554B (en) | 2023-05-31 | 2023-05-31 | Industrial Internet data anomaly detection method, system and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310627119.0A CN116628554B (en) | 2023-05-31 | 2023-05-31 | Industrial Internet data anomaly detection method, system and equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN116628554A CN116628554A (en) | 2023-08-22 |
CN116628554B true CN116628554B (en) | 2023-11-03 |
Family
ID=87602321
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310627119.0A Active CN116628554B (en) | 2023-05-31 | 2023-05-31 | Industrial Internet data anomaly detection method, system and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116628554B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117150416B (en) * | 2023-10-27 | 2024-03-08 | 烟台大学 | Method, system, medium and equipment for detecting abnormal nodes of industrial Internet |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103888304A (en) * | 2012-12-19 | 2014-06-25 | 华为技术有限公司 | Abnormity detection method of multi-node application and related apparatus |
US9787640B1 (en) * | 2014-02-11 | 2017-10-10 | DataVisor Inc. | Using hypergraphs to determine suspicious user activities |
WO2020159439A1 (en) * | 2019-01-29 | 2020-08-06 | Singapore Telecommunications Limited | System and method for network anomaly detection and analysis |
CN112541022A (en) * | 2020-12-18 | 2021-03-23 | 网易(杭州)网络有限公司 | Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment |
CN112749396A (en) * | 2021-01-21 | 2021-05-04 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for constructing security vulnerability knowledge graph |
WO2021189730A1 (en) * | 2020-03-27 | 2021-09-30 | 深圳壹账通智能科技有限公司 | Method, apparatus and device for detecting abnormal dense subgraph, and storage medium |
CN113556354A (en) * | 2021-07-29 | 2021-10-26 | 国家工业信息安全发展研究中心 | Industrial Internet security threat detection method and system based on flow analysis |
CN113642005A (en) * | 2021-08-17 | 2021-11-12 | 安天科技集团股份有限公司 | Defensiveness assessment method, device, equipment and medium for safety protection product |
CN114612235A (en) * | 2022-03-09 | 2022-06-10 | 烟台大学 | Block chain abnormal behavior detection method based on graph embedding |
CN114722937A (en) * | 2022-04-06 | 2022-07-08 | 腾讯科技(深圳)有限公司 | Abnormal data detection method and device, electronic equipment and storage medium |
CN115514581A (en) * | 2022-11-16 | 2022-12-23 | 国家工业信息安全发展研究中心 | Data analysis method and equipment for industrial internet data security platform |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10009363B2 (en) * | 2016-06-09 | 2018-06-26 | Adobe Systems Incorporated | Selecting representative metrics datasets for efficient detection of anomalous data |
-
2023
- 2023-05-31 CN CN202310627119.0A patent/CN116628554B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103888304A (en) * | 2012-12-19 | 2014-06-25 | 华为技术有限公司 | Abnormity detection method of multi-node application and related apparatus |
US9787640B1 (en) * | 2014-02-11 | 2017-10-10 | DataVisor Inc. | Using hypergraphs to determine suspicious user activities |
WO2020159439A1 (en) * | 2019-01-29 | 2020-08-06 | Singapore Telecommunications Limited | System and method for network anomaly detection and analysis |
WO2021189730A1 (en) * | 2020-03-27 | 2021-09-30 | 深圳壹账通智能科技有限公司 | Method, apparatus and device for detecting abnormal dense subgraph, and storage medium |
CN112541022A (en) * | 2020-12-18 | 2021-03-23 | 网易(杭州)网络有限公司 | Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment |
CN112749396A (en) * | 2021-01-21 | 2021-05-04 | 恒安嘉新(北京)科技股份公司 | Method, device, equipment and storage medium for constructing security vulnerability knowledge graph |
CN113556354A (en) * | 2021-07-29 | 2021-10-26 | 国家工业信息安全发展研究中心 | Industrial Internet security threat detection method and system based on flow analysis |
CN113642005A (en) * | 2021-08-17 | 2021-11-12 | 安天科技集团股份有限公司 | Defensiveness assessment method, device, equipment and medium for safety protection product |
CN114612235A (en) * | 2022-03-09 | 2022-06-10 | 烟台大学 | Block chain abnormal behavior detection method based on graph embedding |
CN114722937A (en) * | 2022-04-06 | 2022-07-08 | 腾讯科技(深圳)有限公司 | Abnormal data detection method and device, electronic equipment and storage medium |
CN115514581A (en) * | 2022-11-16 | 2022-12-23 | 国家工业信息安全发展研究中心 | Data analysis method and equipment for industrial internet data security platform |
Non-Patent Citations (2)
Title |
---|
Early warning model for industrial internet platform based on graph neural network and time convolution network;Chang Guo等;《Journal of Ambient Intelligence and Humanized Computing》;第 552–564页 * |
提升工业互联网平台数据异常检测准确性研究;齐坤;;通讯世界(第12期);第125-126页 * |
Also Published As
Publication number | Publication date |
---|---|
CN116628554A (en) | 2023-08-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP7010641B2 (en) | Abnormality diagnosis method and abnormality diagnosis device | |
Zheng et al. | Raw wind data preprocessing: A data-mining approach | |
Chang et al. | Anomaly detection for industrial control systems using k-means and convolutional autoencoder | |
TW200849917A (en) | Detecting method of network invasion | |
CN116628554B (en) | Industrial Internet data anomaly detection method, system and equipment | |
CN109088744A (en) | Powerline network abnormal intrusion detection method, device, equipment and storage medium | |
CN114448657B (en) | Distribution communication network security situation awareness and abnormal intrusion detection method | |
CN110830504A (en) | Network intrusion behavior detection method and system | |
CN112804248B (en) | LDoS attack detection method based on frequency domain feature fusion | |
CN117614978A (en) | Information security communication management system for digital workshop | |
CN115296933B (en) | Industrial production data risk level assessment method and system | |
CN116563690A (en) | Unmanned aerial vehicle sensor type unbalanced data anomaly detection method and detection system | |
CN112039907A (en) | Automatic testing method and system based on Internet of things terminal evaluation platform | |
CN114970694A (en) | Network security situation assessment method and model training method thereof | |
CN114118680A (en) | Network security situation assessment method and system | |
Jingyi et al. | ELM Network Intrusion Detection Model Based on SLPP Feature Extraction | |
CN113162904A (en) | Power monitoring system network security alarm evaluation method based on probability graph model | |
CN116781418B (en) | SDN malicious controller detection method based on neural network and SVM | |
Xiang et al. | Applying fuzzy data mining to network unsupervised anomaly detection | |
JP7325557B2 (en) | Abnormality diagnosis method and abnormality diagnosis device | |
CN113347021B (en) | Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium | |
CN117473571B (en) | Data information security processing method and system | |
Qu et al. | Metric learning with neural network for modbus/tcp anomaly detection | |
Xiang et al. | Application of Fuzzy ART for unsupervised anomaly detection system | |
CN116720439A (en) | Robustness assessment method, device and storage medium for power system integrated tree application |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |