CN116628554B - Industrial Internet data anomaly detection method, system and equipment - Google Patents

Industrial Internet data anomaly detection method, system and equipment Download PDF

Info

Publication number
CN116628554B
CN116628554B CN202310627119.0A CN202310627119A CN116628554B CN 116628554 B CN116628554 B CN 116628554B CN 202310627119 A CN202310627119 A CN 202310627119A CN 116628554 B CN116628554 B CN 116628554B
Authority
CN
China
Prior art keywords
characteristic
node
risk level
initial
aggregation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202310627119.0A
Other languages
Chinese (zh)
Other versions
CN116628554A (en
Inventor
刘兆伟
赵宗星
王莹洁
徐金东
阎维青
宋永超
赵相福
姜岸佐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yantai University
Original Assignee
Yantai University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yantai University filed Critical Yantai University
Priority to CN202310627119.0A priority Critical patent/CN116628554B/en
Publication of CN116628554A publication Critical patent/CN116628554A/en
Application granted granted Critical
Publication of CN116628554B publication Critical patent/CN116628554B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/213Feature extraction, e.g. by transforming the feature space; Summarisation; Mappings, e.g. subspace methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Computation (AREA)
  • Artificial Intelligence (AREA)
  • Databases & Information Systems (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Security & Cryptography (AREA)
  • Evolutionary Biology (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to the technical field of industrial Internet security, in particular to a method, a system and equipment for detecting industrial Internet data anomalies, which are used for acquiring node data from an industrial Internet, converting the node data into a topological graph, carrying out aggregation processing on initial features extracted from the topological graph to obtain aggregation features with strong relevance, simultaneously obtaining self-adaptive parameters based on feature deviation of the aggregation features and the initial features to avoid excessive relevance of the aggregation features, carrying out weighting processing on the aggregation features and the initial features by using the self-adaptive parameters to obtain normal node features with better expression performance and stronger relevance, obtaining feature difference weight ratio capable of reflecting abnormal data content in the nodes by comparing the relevance strength of the normal node features and the initial features, and immediately carrying out different communication authority processing on an industrial Internet platform according to different risk grades of the corresponding nodes so as to maintain the safety of the industrial Internet.

Description

Industrial Internet data anomaly detection method, system and equipment
Technical Field
The application relates to the technical field of industrial Internet security, in particular to a method, a system and equipment for detecting industrial Internet data abnormality.
Background
In the wave of industry development, internet security is one of the important factors affecting the wide use of industrial internet. In fact, the security of industrial internet platform data is often poor and is easily targeted by an attacker. The industrial Internet is a combination of a traditional industrial control system and an Internet technology, and the Internet technology breaks through a traditional industrial information safety protection mode while providing convenience for the industrial control system, so that inherent network safety risks of the Internet are inevitably introduced into the industrial Internet. Compared with the traditional Internet, the characteristics of the industrial Internet are more complicated, the related equipment is of a plurality of types, the network points are distributed more densely, and the protocol is relatively fragile, so that more security risks are caused.
In recent years, industrial internet security events are frequent, if an industrial internet data security and credibility exchange sharing comprehensive service platform is subjected to abnormal attack, serious influence is generated on normal operation of industrial production, serious security accidents can be caused, and huge economic loss and serious social influence are generated in the whole industrial field. Therefore, the industrial Internet safety protection is enhanced, and abnormal behaviors in the network are found and processed in time, so that the method is very important for guaranteeing the healthy operation of the industrial Internet.
In the industrial internet, due to the massive, high-dimensional and nonlinear feature extraction requirements of network data, the conventional network abnormal behavior discovery technology has become no longer applicable. The main problems of the technology are low accuracy, high false alarm rate, high missing report rate and the like. Traditional rule-based detection methods are no longer practical because specialized security personnel are required to analyze and extract features from the data and are not able to cope with unknown security risks. In addition, the expert system knowledge base is continuously perfected mainly depending on the change of expert cognition, so that the method is limited by expert level and is difficult to adapt to the current industrial Internet environment. The abnormal behavior discovery method based on the statistical method does not need to be updated and maintained continuously, but cannot perform real-time abnormal behavior discovery, and is complex in calculation under the condition of large data volume, so that the time consumption is high. Although the existing anomaly detection technology can detect partial databases, no effective solution detection and solution for coping with security risks such as data attack exist yet.
Disclosure of Invention
The application provides a method, a system and equipment for detecting industrial Internet data anomalies.
The technical scheme of the application is as follows:
the industrial Internet data anomaly detection method comprises the following operations:
s1, acquiring data of nodes, and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
s2, obtaining an aggregation feature after feature processing based on the initial feature in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
s3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
and S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
The operation of obtaining the polymerization characteristic in S2 specifically includes:
and carrying out iterative updating on the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics.
In the above detection method, the operation of obtaining the adaptive parameter in S2 specifically includes: and acquiring the characteristic deviation of the aggregation characteristic and the initial characteristic, wherein the characteristic deviation is combined with the step length and the balance parameter to obtain the self-adaptive parameter.
The operation of obtaining the normal node characteristic in S2 specifically includes: and weighting the aggregate characteristic and the initial characteristic based on the self-adaptive parameter to obtain the normal node characteristic.
In the above detection method, the operation of obtaining the abnormal data risk level of the node in S3 specifically includes:
if the characteristic difference weight ratio is smaller than a first threshold value, the risk level of the abnormal data of the corresponding node is a first risk level;
if the characteristic difference weight ratio is not smaller than the first threshold value and not larger than the second threshold value, the abnormal data risk level of the corresponding node is a second risk level;
if the characteristic difference weight ratio is larger than the second threshold value and smaller than the third threshold value, the abnormal data risk level of the corresponding node is a third risk level;
and if the characteristic difference weight is not smaller than the third threshold value, the risk level of the abnormal data of the corresponding node is a fourth risk level.
If the abnormal data risk level of the node is a first risk level, opening all communication authorities of the corresponding nodes;
if the abnormal data risk level of the node is the second risk level, the corresponding node can only communicate with the node of the first risk level;
if the abnormal data risk level of the node is a third risk level, delaying the time of the corresponding node entering the industrial Internet, and detecting the corresponding node for multiple times in a preset period;
and if the abnormal data risk level of the node is the fourth risk level, eliminating the corresponding node from the industrial Internet.
The detection method as described above, before the operation of converting the data into the heterogram in S1, further includes preprocessing the data, where the preprocessing includes sequentially digitizing, normalizing and labeling the data.
A system for detecting anomalies in industrial internet data, comprising:
the topological graph generation module is used for acquiring data of the nodes and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
the normal node characteristic generating module is used for obtaining an aggregation characteristic after characteristic processing based on the initial characteristic in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
the abnormal data risk level generation module is used for comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
and the communication authority updating module is used for updating the communication authority of the corresponding node based on the abnormal data risk level.
The industrial Internet platform running equipment based on the blockchain comprises a processor and a memory, wherein the processor realizes the detection method of the industrial Internet data abnormality when executing the computer program stored in the memory.
A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements a method for detecting an industrial internet data anomaly as described above.
The application has the beneficial effects that:
the application provides a detection system for industrial Internet data anomalies, which is characterized in that node data is obtained from an industrial Internet, the node data is converted into a topological graph, initial features extracted from the topological graph are subjected to aggregation processing to obtain aggregation features with strong relevance, meanwhile, in order to avoid excessive relevance of the aggregation features, self-adaptive parameters are obtained based on feature deviation of the aggregation features and the initial features, the self-adaptive parameters are used for carrying out weighted processing on the aggregation features and the initial features to obtain normal node features with better expression performance and stronger relevance, the feature difference weight ratio capable of reflecting the content of the abnormal data in the nodes is obtained by comparing the relevance strength of the normal node features and the initial features, different risk grades of corresponding nodes are obtained according to the feature difference weight ratio, and an industrial Internet platform immediately carries out different communication authority processing to maintain the safety of the industrial Internet.
Drawings
The aspects and advantages of the present application will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application.
In the drawings:
FIG. 1 is a flow chart of a detection method in an embodiment;
FIG. 2 is a schematic diagram of a detection system according to an embodiment;
fig. 3 is a schematic structural diagram of a detection device in an embodiment.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings.
The embodiment provides a method for detecting industrial internet data anomalies, referring to fig. 1, including the following operations:
s1, acquiring data of nodes, and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
s2, obtaining an aggregation feature after feature processing based on the initial feature in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
s3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
and S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
S1, acquiring data of nodes, and converting the data into a heterogeneous graph; based on the heterogram, a topology is obtained.
And acquiring data of the nodes from the disclosed industrial Internet platform, constructing and processing the data by the graph to obtain a heterogeneous graph, and mapping and converting the heterogeneous graph into a topological graph. The method is convenient for data processing and improves the calculation efficiency by converting the data information into the topological graph which can be identified by the neural network model under the condition of ensuring that the data information is not lost.
The heterogeneous graph is represented by g= (V, E), V represents a node set in the heterogeneous graph, the nodes in the node set V include nodes with normal features and nodes with abnormal features, and E represents a set of edges formed between the nodes in the heterogeneous graph.
The embedding processing operation is preceded by preprocessing the data of the nodes, wherein the preprocessing comprises sequentially digitizing, normalizing and labeling the data of the nodes. The data is convenient to process after being sequentially digitized, standardized and normalized, the calculation efficiency is improved, and the labeled data can effectively describe the data form of the business entity, for example, the normal data and the abnormal data containing the characteristics of texts, images, audios and the like can be clearly described.
S2, obtaining an aggregation feature after feature processing based on initial features in the topological graph; balancing the difference between the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; and the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics.
The operation to obtain the polymerization characteristics is specifically: and carrying out iterative updating on the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics.
The specific formula is as follows:
for the purpose of aggregation characterization, +.>For the initial feature->UPDATE for domain node feature of node i l (. Cndot.) is an iterative update function, and l is the number of aggregation layers. In an industrial Internet platform, the proportion of abnormal features in nodes is generally smaller, so that the normal features of the nodes have the characteristic of strong relevance, the more the normal features of the nodes are, the more the number of edges between the normal features of the nodes and other nodes are, the stronger the relevance is, the neighborhood node features are aggregated in a repeated iteration mode, the normal features of the nodes have better relevance, high heterogeneity can be kept, and the abnormal data content of the nodes can be accurately identified by utilizing the characteristic.
The feature aggregation can help to improve the performance of normal feature aggregation in an abnormal feature environment, but if the number of model layers is increased, the performance of feature aggregation is poor under the circumstance that training precision is expected to be improved; the performance of the normal feature can be effectively improved through the increase of the layer number, the defect that the aggregation performance of the feature is reduced due to the fact that the layer number is too many is avoided, the performance of the residual connection is easy to reduce due to the existence of the abnormal feature, the excessive association of the aggregation feature is avoided in order to reduce the difference when the aggregation layer and the residual layer are associated, the aggregation feature and the initial feature are balanced, and the self-adaptive parameter which does not weaken the display capability of the abnormal feature in the node and can improve the association of the normal feature is obtained.
The operation of obtaining the adaptive parameters is specifically as follows: and acquiring the characteristic deviation of the aggregate characteristic and the initial characteristic, and combining the characteristic deviation with the step length and the balance parameter to obtain the self-adaptive parameter.
The specific formula is as follows:
ε i is self-adaptive parameter, delta is step length, gamma is balance parameter, gamma is 0,1],Is of polymeric character, (X) in ) i For the initial feature->Is the characteristic deviation. And the balance parameters are utilized to prevent the overlarge difference between the aggregation characteristics and the initial characteristics and the overlarge normal characteristic relevance in the aggregation characteristics, so that the accuracy of the result is prevented from being influenced.
The operation for obtaining the normal node characteristics is specifically as follows: and weighting the aggregate characteristic and the initial characteristic based on the self-adaptive parameter to obtain the normal node characteristic.
The specific formula is as follows:
X' i to balance out normal node characteristics after the expression of industrial Internet abnormal data i Is an adaptive parameter, (X) in ) i As an initial feature of the device,for aggregate features, i is a node. The linear combination of the input features and the aggregation features is adopted, the node features are weighted based on node residual error self-adaptive parameters, and the feature representation of the normal features is more consistent with the feature representation of the local neighbors than the abnormal features according to the homogeneity assumption of the graph structure data, so that more residual errors are distributed, and therefore, the normal node features with better expression performance and stronger relevance can be obtained.
The characteristics of the nodes are extracted from the topological graph by using the graph embedding operation, the nodes in the topological graph are mapped to a low-dimensional vector space by the graph embedding operation, the relationship and the similarity among the nodes are reserved, and the accuracy of a processing result is facilitated.
S3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; and comparing the characteristic difference weight ratio with a threshold value to obtain the abnormal data risk level of the node.
And comparing the normal node characteristics with normal characteristics in the initial characteristics to obtain characteristic differences, and calculating the proportion of the characteristic differences to the initial characteristics to obtain the characteristic difference weight proportion. The larger the feature difference is, the larger the difference between the normal feature and the normal node feature in the initial feature is, the lower the normal feature association strength in the initial feature is, the more abnormal data is, and the greater the possibility of dangerous industrial Internet security is.
Comparing the characteristic difference weight ratio with the threshold value to obtain the abnormal data risk level of the node, wherein the abnormal data risk level is specifically as follows:
if the characteristic difference weight ratio is smaller than a first threshold value, the risk level of the abnormal data of the corresponding node is a first risk level;
if the characteristic difference weight ratio is not smaller than the first threshold value and not larger than the second threshold value, the risk level of the abnormal data of the corresponding node is a second risk level;
if the characteristic difference weight ratio is larger than the second threshold value and smaller than the third threshold value, the abnormal data risk level of the corresponding node is a third risk level;
if the feature difference weight is not smaller than the third threshold, the risk level of the abnormal data of the corresponding node is a fourth risk level.
The first threshold is 0.2, the second threshold is 0.4, the third threshold is 0.7, the first risk level is low risk, the second risk level is medium risk, the third risk level is medium and high risk, and the fourth risk level is high risk. And S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
If the abnormal data risk level of the node is the first risk level, opening all communication authorities of the corresponding nodes;
if the abnormal data risk level of the node is the second risk level, the corresponding node can only communicate with the node of the first risk level;
if the abnormal data risk level of the node is the third risk level, delaying the time of the corresponding node entering the industrial Internet, and detecting the corresponding node for a plurality of times in a preset period; the delay time is 5min, the preset period is 15 min, and the detection times are 2 times.
And if the abnormal data risk level of the node is the fourth risk level, eliminating the corresponding node from the industrial Internet.
The embodiment provides a detection system for industrial internet data anomaly, referring to fig. 2, including:
the topological graph generation module is used for acquiring data of the nodes and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
the normal node characteristic generating module is used for obtaining an aggregation characteristic after characteristic processing based on the initial characteristic in the topological graph; balancing the difference between the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
the abnormal data risk level generation module is used for comparing the normal node characteristics with the initial characteristics to obtain the characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain abnormal data risk level of the node;
and the communication authority updating module is used for updating the communication authority of the corresponding node based on the abnormal data risk level.
The embodiment provides a blockchain-based industrial internet platform running device, referring to fig. 3, which comprises a processor and a memory, wherein the processor implements the method for detecting industrial internet data anomalies when executing a computer program stored in the memory.
The present embodiment provides a computer readable storage medium for storing a computer program, where the computer program when executed by a processor implements a method for detecting an industrial internet data anomaly as described above.
The embodiment provides a detection system for industrial Internet data abnormality, which is characterized in that node data is obtained from an industrial Internet, the node data is converted into a topological graph, initial features extracted from the topological graph are subjected to aggregation processing to obtain aggregation features with strong relevance, meanwhile, in order to avoid excessive relevance of the aggregation features, self-adaptive parameters are obtained based on feature deviation of the aggregation features and the initial features, the aggregation features and the initial features are weighted by the self-adaptive parameters to obtain normal node features with better expression performance and stronger relevance, the feature difference weight ratio capable of reflecting abnormal data content in the nodes is obtained by comparing the relevance intensity of the normal node features and the initial features, different risk grades of corresponding nodes are obtained according to the feature difference weight ratio, and the industrial Internet platform immediately carries out different communication authority processing to maintain the safety of the industrial Internet.

Claims (8)

1. The method for detecting the industrial Internet data abnormality is characterized by comprising the following operations:
s1, acquiring data of nodes, and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
s2, obtaining an aggregation feature after feature processing based on the initial feature in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics;
the operation of obtaining the polymerization characteristics is specifically as follows: iteratively updating the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics;
the operation of obtaining the adaptive parameter is specifically: acquiring characteristic deviation of the aggregation characteristic and the initial characteristic, wherein the characteristic deviation is combined with a step length and a balance parameter to obtain the self-adaptive parameter;
s3, comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node;
the operation of obtaining the characteristic difference weight ratio is specifically as follows: comparing the normal node characteristics with normal characteristics in the initial characteristics to obtain characteristic differences, and calculating the proportion of the characteristic differences to the initial characteristics to obtain characteristic difference weight proportion;
and S4, updating the communication authority of the corresponding node based on the abnormal data risk level.
2. The detection method according to claim 1, wherein the operation of obtaining the normal node characteristic in S2 is specifically: and weighting the aggregate characteristic and the initial characteristic based on the self-adaptive parameter to obtain the normal node characteristic.
3. The detection method according to claim 1, wherein the operation of obtaining the abnormal data risk level of the node in S3 is specifically:
if the characteristic difference weight ratio is smaller than a first threshold value, the risk level of the abnormal data of the corresponding node is a first risk level;
if the characteristic difference weight ratio is not smaller than the first threshold value and not larger than the second threshold value, the abnormal data risk level of the corresponding node is a second risk level;
if the characteristic difference weight ratio is larger than the second threshold value and smaller than the third threshold value, the abnormal data risk level of the corresponding node is a third risk level;
and if the characteristic difference weight is not smaller than the third threshold value, the risk level of the abnormal data of the corresponding node is a fourth risk level.
4. The method according to claim 3, wherein,
if the abnormal data risk level of the node is the first risk level, opening all communication authorities of the corresponding nodes;
if the abnormal data risk level of the node is the second risk level, the corresponding node can only communicate with the node of the first risk level;
if the abnormal data risk level of the node is a third risk level, delaying the time of the corresponding node entering the industrial Internet, and detecting the corresponding node for multiple times in a preset period;
and if the abnormal data risk level of the node is the fourth risk level, eliminating the corresponding node from the industrial Internet.
5. The method according to claim 1, wherein the step of converting the data into the heterogram in S1 further comprises preprocessing the data, and the preprocessing includes sequentially digitizing, normalizing and labeling the data.
6. A system for detecting anomalies in industrial internet data, comprising:
the topological graph generation module is used for acquiring data of the nodes and converting the data into a heterogeneous graph; obtaining a topological graph based on the heterogeneous graph;
the normal node characteristic generating module is used for obtaining an aggregation characteristic after characteristic processing based on the initial characteristic in the topological graph; balancing the variability of the aggregation characteristic and the initial characteristic to obtain a self-adaptive parameter; the self-adaptive parameters are combined with the aggregation characteristics and the initial characteristics to obtain normal node characteristics; the operation of obtaining the polymerization characteristics is specifically as follows: iteratively updating the initial characteristics of the nodes in the topological graph and the characteristics of the neighborhood nodes to obtain the aggregation characteristics; the operation of obtaining the adaptive parameter is specifically: acquiring characteristic deviation of the aggregation characteristic and the initial characteristic, wherein the characteristic deviation is combined with a step length and a balance parameter to obtain the self-adaptive parameter;
the abnormal data risk level generation module is used for comparing the normal node characteristics with the initial characteristics to obtain a characteristic difference weight ratio; comparing the characteristic difference weight ratio with a threshold value to obtain an abnormal data risk level of the node; the operation of obtaining the characteristic difference weight ratio is specifically as follows: comparing the normal node characteristics with normal characteristics in the initial characteristics to obtain characteristic differences, and calculating the proportion of the characteristic differences to the initial characteristics to obtain the characteristic difference weight proportion;
and the communication authority updating module is used for updating the communication authority of the corresponding node based on the abnormal data risk level.
7. An industrial internet platform running device based on a blockchain, comprising a processor and a memory, wherein the processor implements a method for detecting an industrial internet data anomaly according to any one of claims 1-5 when executing a computer program stored in the memory.
8. A computer readable storage medium for storing a computer program, wherein the computer program when executed by a processor implements a method of detecting an industrial internet data anomaly as claimed in any one of claims 1 to 5.
CN202310627119.0A 2023-05-31 2023-05-31 Industrial Internet data anomaly detection method, system and equipment Active CN116628554B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310627119.0A CN116628554B (en) 2023-05-31 2023-05-31 Industrial Internet data anomaly detection method, system and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310627119.0A CN116628554B (en) 2023-05-31 2023-05-31 Industrial Internet data anomaly detection method, system and equipment

Publications (2)

Publication Number Publication Date
CN116628554A CN116628554A (en) 2023-08-22
CN116628554B true CN116628554B (en) 2023-11-03

Family

ID=87602321

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310627119.0A Active CN116628554B (en) 2023-05-31 2023-05-31 Industrial Internet data anomaly detection method, system and equipment

Country Status (1)

Country Link
CN (1) CN116628554B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117150416B (en) * 2023-10-27 2024-03-08 烟台大学 Method, system, medium and equipment for detecting abnormal nodes of industrial Internet

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103888304A (en) * 2012-12-19 2014-06-25 华为技术有限公司 Abnormity detection method of multi-node application and related apparatus
US9787640B1 (en) * 2014-02-11 2017-10-10 DataVisor Inc. Using hypergraphs to determine suspicious user activities
WO2020159439A1 (en) * 2019-01-29 2020-08-06 Singapore Telecommunications Limited System and method for network anomaly detection and analysis
CN112541022A (en) * 2020-12-18 2021-03-23 网易(杭州)网络有限公司 Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment
CN112749396A (en) * 2021-01-21 2021-05-04 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for constructing security vulnerability knowledge graph
WO2021189730A1 (en) * 2020-03-27 2021-09-30 深圳壹账通智能科技有限公司 Method, apparatus and device for detecting abnormal dense subgraph, and storage medium
CN113556354A (en) * 2021-07-29 2021-10-26 国家工业信息安全发展研究中心 Industrial Internet security threat detection method and system based on flow analysis
CN113642005A (en) * 2021-08-17 2021-11-12 安天科技集团股份有限公司 Defensiveness assessment method, device, equipment and medium for safety protection product
CN114612235A (en) * 2022-03-09 2022-06-10 烟台大学 Block chain abnormal behavior detection method based on graph embedding
CN114722937A (en) * 2022-04-06 2022-07-08 腾讯科技(深圳)有限公司 Abnormal data detection method and device, electronic equipment and storage medium
CN115514581A (en) * 2022-11-16 2022-12-23 国家工业信息安全发展研究中心 Data analysis method and equipment for industrial internet data security platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10009363B2 (en) * 2016-06-09 2018-06-26 Adobe Systems Incorporated Selecting representative metrics datasets for efficient detection of anomalous data

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103888304A (en) * 2012-12-19 2014-06-25 华为技术有限公司 Abnormity detection method of multi-node application and related apparatus
US9787640B1 (en) * 2014-02-11 2017-10-10 DataVisor Inc. Using hypergraphs to determine suspicious user activities
WO2020159439A1 (en) * 2019-01-29 2020-08-06 Singapore Telecommunications Limited System and method for network anomaly detection and analysis
WO2021189730A1 (en) * 2020-03-27 2021-09-30 深圳壹账通智能科技有限公司 Method, apparatus and device for detecting abnormal dense subgraph, and storage medium
CN112541022A (en) * 2020-12-18 2021-03-23 网易(杭州)网络有限公司 Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment
CN112749396A (en) * 2021-01-21 2021-05-04 恒安嘉新(北京)科技股份公司 Method, device, equipment and storage medium for constructing security vulnerability knowledge graph
CN113556354A (en) * 2021-07-29 2021-10-26 国家工业信息安全发展研究中心 Industrial Internet security threat detection method and system based on flow analysis
CN113642005A (en) * 2021-08-17 2021-11-12 安天科技集团股份有限公司 Defensiveness assessment method, device, equipment and medium for safety protection product
CN114612235A (en) * 2022-03-09 2022-06-10 烟台大学 Block chain abnormal behavior detection method based on graph embedding
CN114722937A (en) * 2022-04-06 2022-07-08 腾讯科技(深圳)有限公司 Abnormal data detection method and device, electronic equipment and storage medium
CN115514581A (en) * 2022-11-16 2022-12-23 国家工业信息安全发展研究中心 Data analysis method and equipment for industrial internet data security platform

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Early warning model for industrial internet platform based on graph neural network and time convolution network;Chang Guo等;《Journal of Ambient Intelligence and Humanized Computing》;第 552–564页 *
提升工业互联网平台数据异常检测准确性研究;齐坤;;通讯世界(第12期);第125-126页 *

Also Published As

Publication number Publication date
CN116628554A (en) 2023-08-22

Similar Documents

Publication Publication Date Title
JP7010641B2 (en) Abnormality diagnosis method and abnormality diagnosis device
Zheng et al. Raw wind data preprocessing: A data-mining approach
Chang et al. Anomaly detection for industrial control systems using k-means and convolutional autoencoder
TW200849917A (en) Detecting method of network invasion
CN116628554B (en) Industrial Internet data anomaly detection method, system and equipment
CN109088744A (en) Powerline network abnormal intrusion detection method, device, equipment and storage medium
CN114448657B (en) Distribution communication network security situation awareness and abnormal intrusion detection method
CN110830504A (en) Network intrusion behavior detection method and system
CN112804248B (en) LDoS attack detection method based on frequency domain feature fusion
CN117614978A (en) Information security communication management system for digital workshop
CN115296933B (en) Industrial production data risk level assessment method and system
CN116563690A (en) Unmanned aerial vehicle sensor type unbalanced data anomaly detection method and detection system
CN112039907A (en) Automatic testing method and system based on Internet of things terminal evaluation platform
CN114970694A (en) Network security situation assessment method and model training method thereof
CN114118680A (en) Network security situation assessment method and system
Jingyi et al. ELM Network Intrusion Detection Model Based on SLPP Feature Extraction
CN113162904A (en) Power monitoring system network security alarm evaluation method based on probability graph model
CN116781418B (en) SDN malicious controller detection method based on neural network and SVM
Xiang et al. Applying fuzzy data mining to network unsupervised anomaly detection
JP7325557B2 (en) Abnormality diagnosis method and abnormality diagnosis device
CN113347021B (en) Model generation method, collision library detection method, device, electronic equipment and computer readable storage medium
CN117473571B (en) Data information security processing method and system
Qu et al. Metric learning with neural network for modbus/tcp anomaly detection
Xiang et al. Application of Fuzzy ART for unsupervised anomaly detection system
CN116720439A (en) Robustness assessment method, device and storage medium for power system integrated tree application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant