CN105807631A - PLC simulation-based industrial control intrusion detection method and intrusion detection system - Google Patents

Abstract

The invention relates to a PLC simulation-based industrial control intrusion detection method and intrusion detection system. The system is composed of a PLC simulation module, a control object anomaly detection module and a controlled object anomaly detection module; the PLC simulation module is composed of a communication subsystem, an SCL language interpretation subsystem, an intermediate layer data cache subsystem and an execution engine subsystem; the communication subsystem is connected with an industrial control network; the execution engine subsystem is connected with the intermediate layer data cache subsystem; and the controlled object anomaly detection module is connected with the PLC simulation module. The intrusion detection system for a control object and a controlled object can be provided for a user under the premise that the structure of the industrial control network is not modified, and daily production is not affected, and therefore, the phenomena of false negatives and false positives are few, intrusion recognition is fast, and thus, the network security level of an industrial control system can be greatly improved with low cost.

Description

Industry control intrusion detection method and intruding detection system based on PLC emulation

Technical field

The present invention relates to industrial control network technical field, particularly to analysis method and the intruding detection system of a kind of industrial control system intrusion detection compiling write control logic based on SCL language.

Background technology

Industrial control system (IndustrialControlSystems, ICS) it is collectively formed by the process control modules of various Automated condtrol assemblies and real-time data acquisition, monitoring, mainly realizes data acquisition and processing (DAP), supervision and control and the information system of the function such as telecommunication and maintenance.Along with the continuous mixing together of industrialization Yu IT application process, industrial control field has been arrived in increasing information technology application.

Along with industrialization, automatization are towards networking, informationalized transformation, increasing industrial control system adopts standard, general communication protocol and software and hardware system；Again under such background, the original packaging effects of industrial control system is broken, various unsafe factors, as virus, wooden horse, invasion etc. can enter industrial control network along with normal flow of information, cause the instability that enterprise produces, especially at China's industrial control system wide variety of electric power, petrochemical industry, food pharmaceutical, the industrial circle such as air transportation, have a strong impact on the strategic security of country.

The technology relative maturity of tradition IT information security, it is possible to be applied to enterprise network as accessed control, audit, encryption, antivirus software, fire wall, intrusion detection (IDS) etc..But under industrial control network environment, due to reasons such as its application scenarios and control system exist many differences, as higher in industrial control system requirement of real-time, fractional transmission agreement is underground, industry control component programs interface is underground.Conventional art is not directly applicable the information safety protection of Controling network, fieldbus networks, it is necessary to revised so as to adapt to industry control network.And fieldbus networks is usually signal of telecommunication transmission, sensor, executor are usually program curing, and occurring abnormal is that therefore these logic control devices of RTU or PLC are under attack mostly.So research emphasis should be placed in industry control network in the Study of security mechanisms of Controling network.

But owing to antivirus software and some industry application program (IAP) are incompatible, fire wall can not prevent the attack come within ICS, IDS intruding detection system becomes us and tackles the APT optimum selection attacked.Intruding detection system has been widely used in protecting information safety, mainly adopts feature detection and abnormality detection two ways.Feature detection cannot be tackled unknown attack and threaten, and abnormality detection more can tackle the APT threat attacked.Comparing tradition applied environment, the abnormality detection research under ICS environment is also in the infancy, also has very big development space.

Summary of the invention

In order to solve the problems referred to above, the invention provides a kind of industry control intrusion detection method based on PLC emulation and intruding detection system, it is possible to effectively controller (PLC) and controlled device (physical equipment) are carried out abnormality detection.This system Detection accuracy is high, real-time.

In order to reach the purpose of the present invention, the present invention proposes a kind of industry control intruding detection system based on PLC emulation, and this system is by PLC emulation module, control object abnormality detection module and controlled device abnormality detection module composition.

Described PLC emulation module is made up of communication subsystem, SCL linguistic interpretation subsystem, intermediate layer data buffer storage subsystem, enforcement engine subsystem.

Described communication subsystem is connected with industrial control network.The configuration file editted is imported in abnormality detection system by user.The configuration file that system imports according to user is with true PLC communication.According to the cycle set in configuration file, the inputoutput data information on the core position specified in configuration file in PLC is read in circulation, and stores information in the data buffer storage subsystem of intermediate layer.

SCL linguistic interpretation subsystem is connected with intermediate layer data buffer storage subsystem, and the control program code write with SCL language in PLC is imported in native system by user.SCL code is carried out morphology segmentation according to form set in advance by lexical analyzer by system, and according to the form of token, the content after segmentation is passed to syntax analyzer.Syntax analyzer carries out rule-based filtering according to the BNF form set in advance, and legal token combination is passed to interpreter.Interpreter generates intermediate code according to the implication of different token combinations or variable is stored in symbol table, and the implication of token combination is consistent with the meaning of SCL code.Intermediate code and symbol table are stored in the data buffer storage subsystem of intermediate layer.

Enforcement engine subsystem is connected with intermediate layer cache subsystem.After SCL linguistic interpretation subsystem completes the explanation work to importing SCL language, enforcement engine subsystem loads intermediate code and symbol table.By the method for searching loop, intermediate code is performed, and in the process of implementation, according to performing the value of variable in result reindexing table.

The execution result that the result that one section of SCL language program code performs in PLC emulation module coexists in true PLC is consistent.

Control object abnormality detection module is connected with PLC emulation module.If same section of SCL controls final result that program code export in PLC emulation module with the output result difference read out in true PLC, then it is assumed that there occurs Deviant Behavior in controller PLC.Because the 26S Proteasome Structure and Function of PLC sandbox is consistent with true PLC.

Controlled device abnormality detection module is connected with PLC emulation module.First pass through PLC emulation module and read the numerical value of input and output sensor in controlled device.Utilize active autoregression model ARX to carry out multivariable system identification afterwards and set up plant model.Y(k)+a₁Y(k-1)+…+a_hY (k-n)=B₀U(k)+B₁U(k-1)+…+B_hU (k-n)+e (k) wherein Y (k) is m dimension output；U (k) is r dimension input；N is r dimension input and the sequence length of m dimension output；K=(n+1) ... (n+N)；E (k) ties up noise for m；a₁,a₂,…,a_hFor dimension of m m scalar parameter to be identified；B₁,B₂,…,B_hFor m × r matrix to be identified；N is time delay；H is the exponent number of model parameter.

$a_{i}Y(k-i)=\left[\begin{array}{cccc}{a}_{11}^i& a_{12}^i& \mathrm{...}& a_{1m}^i\\ a_{21}^i& a_{22}^i& \mathrm{...}& a_{2m}^i\\ .& .& & .\\ .& .& & .\\ .& .& & .\\ a_{m1}^i& a_{m2}^i& \mathrm{...}& a_{mm}^i\end{array}\right]\left[\begin{array}{c}{y}_1(k-1)\\ y_2(k-1)\\ .\\ .\\ .\\ y_m(k-1)\end{array}\right],i\∈\[0,n\]$

$B_{i}U(k-i)=\left[\begin{array}{cccc}{b}_{11}^i& b_{12}^i& \mathrm{...}& b_{1r}^i\\ b_{21}^i& b_{22}^i& \mathrm{...}& b_{2r}^i\\ .& .& & .\\ .& .& & .\\ .& .& & \mathrm{..}\\ b_{m1}^i& b_{m2}^i& \mathrm{...}& b_{mr}^i\end{array}\right]\left[\begin{array}{c}{u}_1(k-1)\\ u_2(k-1)\\ .\\ .\\ .\\ u_r(k-1)\end{array}\right],i\∈\[0,n\]$

Therefore, a line j, the j ∈ [1, m] in plant model can be rewritten as

$\begin{array}{c}{y}_j\left(k\right)=-a_{11}^j{y}_1(k-1)-\mathrm{...}-a_{1m}^j{y}_m(k-1)-a_{21}^j{y}_1(k-2)-\mathrm{...}-a_{2m}^j{y}_m(k-1)-a_{n1}^j{y}_1(k-n)\\ -\mathrm{...}{a}_{nm}^j{y}_m(k-n)+b_{01}^j{u}_1\left(k\right)+b_{02}^j{u}_2\left(k\right)+\mathrm{...}+b_{0r}^j{u}_r\left(k\right)+b_{11}^j{u}_1(k-1)+b_{12}^j{u}_2(k-1)+\mathrm{...}+\\ b_{1r}^j{u}_r(k-1)+\mathrm{...}+b_{n1}^j{u}_1(k-n)+b_{n2}^j{u}_2(k-n)+\mathrm{...}+b_{nr}^j{u}_r(k-n)+e_j\left(k\right)\end{array}$

N number of matrix can be obtained fom the above equation

$Y_j(k-i)=\left[\begin{array}{c}{y}_1(k-i)\\ y_2(k-i)\\ .\\ .\\ .\\ y_m(k-i)\end{array}\right],i=0,1,\mathrm{...}n,e_j\left[\begin{array}{c}{e}_j\left(1\right)\\ e_j\left(2\right)\\ .\\ .\\ .\\ e_j\left(N\right)\end{array}\right],U(k-i)\left[\begin{array}{c}{u}_1(k-i)\\ u_2(k-i)\\ .\\ .\\ .\\ u_r(k-i)\end{array}\right],i=1,\mathrm{2...},n$

${\mathrm{\θ}}_j^T=\left[\begin{array}{ccccccccccccccccc}{a}_{11}^j& \mathrm{...}& a_{nm}^j& \mathrm{...}& a_{n1}^j& \mathrm{...}& a_{nm}^j& b_{01}^j& \mathrm{...}& b_{0r}^j& b_{11}^j& \mathrm{...}& b_{1r}^j& \mathrm{...}& b_{n1}^j& \mathrm{...}& b_{nr}^j\end{array}\right]$

A line j, j ∈ [1, m] in plant model can be rewritten as and be represented by Y_j=H_jθ_j+e_j。

Then can be calculated θ with method of least square_jConcordance and unbiasedness estimateMake j=1,2 ..., m can obtain the estimates of parameters of each rowThe ARX model of controlled device can be obtained.a_h,b_hIn exponent number h_a,h_bAIC criterion is utilized to choose.J (j)=J (j-1)+z (j) ε (k),AIC(h_a,h_b) value is a time minimum_h,b_hDetermination exponent number.If D (k) for model estimate value with the error between controlled device actual valueD (k) is carried out inflection point detection by the mode utilizing wavelet decomposition.Db6 wavelet function is adopted to carry out 3 layers of decomposition,Wherein j is the wavelet decomposition number of plies, and K=1000 is the mobile yardstick of small echo, φ_jKFor wavelet scaling function, ψ_jKFor wavelet function ψ_jk=2^-j/2ψ₀(2^-ji-k).As the high frequency coefficient d decomposited_ig(j thinks that controlled device occurs when there is the point more than 0.3 in k) abnormal.

The invention provides a kind of industry control intrusion detection method based on PLC emulation and intruding detection system, do not change industrial network structure and do not affect daily production premise under, provide the user the intruding detection system to control object (PLC) and controlled device (physical equipment), the phenomenon failed to report and report by mistake is few, invasive biology is fast, thus substantially increase the network security level of industrial control system with relatively low cost.

Accompanying drawing explanation

Fig. 1 is the structural representation of present system.

Fig. 2 is the schematic flow sheet of PLC of the present invention emulation.

Fig. 3 is the schematic flow sheet of control object abnormality detection of the present invention.

Fig. 4 is the schematic flow sheet of controlled device abnormality detection of the present invention.

Detailed description of the invention

Describe the present invention below with reference to detailed description of the invention shown in the drawings.

Fig. 1 is the structural representation of the industry control intruding detection system that the present invention emulates based on sandbox, as it is shown in figure 1, include:

PLC emulation module is connected with controlled device detection module with control object abnormality detection module.

The input of PLC emulation module includes the control program code write based on SCL language of controlled device, the inputoutput data of initial configuration file and control object and controlled device.

PLC emulation module determines that by loading configuration file which to obtain controls and controlled device data, and communication subsystem carries out communication and reads, according to the cycle of operation interval set, reading data content, memory address, the data needed.

The data copy that all communication subsystems obtain is transferred to controlled device abnormality detection module, and another copy is transferred to intermediate layer data buffer storage subsystem for updating symbol table.

PLC emulation module loads PID program code, the program code write by SCL language input SCL linguistic interpretation subsystem.SCL language subsystem generates original symbol table and intermediate code through lexical analyzer, syntax analyzer and interpreter, and symbol table and intermediate code are input to intermediate layer data buffer storage subsystem.

Enforcement engine subsystem performs SCL LISP program LISP by the symbol table in the data buffer storage subsystem of loading intermediate layer and intermediate code simulation.Execution result passes to control object abnormality detection module and carries out abnormality detection.

Fig. 2 is the execution schematic flow sheet of PLC emulation module of the present invention, as in figure 2 it is shown, include:

Step 21, user reads in control object PLC based on the control program code logic of SCL language development and preserves into file.Program code should comprise variable declarations and logical code two parts.File is imported in PLC emulation module by user.

Step 22, whether whether user will need the control object variable and the title of controlled device sensing data, memory address, the storage class that read, be input variable, be that output variable is stated in initialization files.These variablees all should be saved in PLC.PLC emulates back the real PLC of message reference in stating according to initializing variable and reads the content specified from its internal memory.The initialization files write are imported in PLC emulation module by user.

Step 23, characteristic according to SCL language in the morphology resolver of the present invention, the key word in SCL language is set as Token, such as if correspondence TokenT_IF, else correspondence T_ELSE, if statement variable, returns V_VARToken.Lexical analyzer can read the character in file, and mates whether meet the Token defined, and as found the then return Token met, otherwise continues coupling.

Step 24, the grammar parser of this religious name adopts BNF form method to carry out formal description according to SCL language rule.SCL language meaning as corresponding in the combination of T_IFT_VART_EQUAL1 is ifvar==1.

Step 25, if grammar parser have found known Token combination according to the Token that morphology resolver obtains, jumps to step 27, otherwise jumps to step 26.

Step 26, there is syntax error in prompting user's SCL program code, asks user to check SCL language program code.

Step 27, the interpreter of the present invention generates intermediate code opcode according to the Token semantic meaning combined.The principle of Opcode is the relation that instruction code all of in SCL program is converted into binary operation, comprises two operands and operator also has the type of a node in opcode node.

Step 28, if the opcode node type generated is variable, jumps to step 30, and no person jumps to step 29.

Step 29, stores opcode node in intermediate code queue, in order to interpreter transfers to enforcement engine subsystem to perform after completing the explanation work of whole SCL code.

Step 30, if the opcode node type generated is variable, will change to withdraw deposit to variant structural to structure and store up in symbol table.Variant structural body storage name variable, data type and variate-value.Types of variables includes the data type of tetra-kinds of SCL language of REAL, TIME, DWORD, BIT.

Step 31, the variate-value in the PLC symbol table emulated is updated by the present invention by reading initialization files, and this step reads the input variable in control object PLC and output variable.

Step 32, this step reads the input variable in control target and output variable, will be modeled and detects in incoming for the value read controlled device detection model.

Step 321, carries out buffer memory by the inputoutput data of controlled device, uses for modeling and wavelet decomposition detection.

Step 322, this step judges whether to have built up plant model, if setting up, jumping to step 325 and utilizing the controlled device data obtained to be made directly detection, otherwise jumping to step 323.

Step 323, this step will determine that the setting when length of time series of whether buffer memory meets Initialize installation, if meeting, jumping to step 324, otherwise jumping to step 321.

Step 324, this step will utilize AIC criterion that model order is determined, and chooses the exponent number that modeling uses, and utilizes the controlled device data of exponent number that AIC order selection criteria determines and buffer memory to set up ARX System identification model.

Step 325, this step utilizes the estimated value of the controlled device data computation model output of ARX model and the acquisition set up.Calculate after obtaining estimated value and actual value obtains error amount.

Step 326, utilizes db6 small echo that error amount sequence carries out 3 layers of wavelet decomposition, obtains the high frequency coefficient after decomposing.

Step 327, this step traversal high frequency is washed one's face and rinsed one's mouth sequence, if it find that there is the value more than 0.3 then jump to step 328, otherwise jumps to step 329.

Step 328, there is ANOMALOUS VARIATIONS in the data of this step prompting user's controlled device, and controlled device occurs abnormal.

Step 329, it is normal that this step represents that this performs cycle controlled device, no abnormal state.

Step 33, has been completed the explanation work of SCL code, and is synchronized the input and output object in true control object before this step.This step traversal intermediate code sequence, carries out dizzy counting is calculated according to the operator function specified in intermediate code, and dizzy counting can be constant, variable or another intermediate code sequence.This step is divided into one branch of Liang Ge branch to jump to step 31 continuing cycling through execution after performing to terminate, and another branch jumps to step 34.

Step 34, the execution result of this intermediate code is transferred to control object abnormality detection module and carries out abnormality detection by this step, and generates this abnormality detection result performing the cycle.

Step 341, this step reads the value of calculation of output variable in PLC emulation.

Step 342, the setting according to initialization files of this step, from PLC, read the value of whole output variable.

Step 343, the output variable that PLC simulation calculation is gone out by this step is compared with the output variable value read from true PLC.

Step 344, if comparison unanimously jumps to step 346, otherwise jumps to step 345.

Step 345, if comparison is inconsistent, then it represents that in this execution cycle, true PLC and PLC emulates when input variable is consistent, and difference occurs in output result.Then represent that the execution logic of true PLC occurs abnormal, break down or artificially revise.Will appear from the title of the variable of difference, user is pointed out by variate-value output.

Step 346, if comparison unanimously, represents in this execution cycle, true PLC and PLC emulates when input variable is consistent, and output result is consistent.The control logic of control object PLC is normal.

It is to be understood that, although this specification is been described by according to embodiment, but not each embodiment only comprises an independent technical scheme, this narrating mode of description be only used to clear for the purpose of, description should be made as a whole by those skilled in the art, technical scheme in each embodiment can also be appropriately combined, implements according to the understanding of those skilled in the art.

The a series of detailed description of those listed above is only for illustrating of the feasibility embodiment of the present invention; they are not intended to limit protection scope of the present invention, and every equivalent implementations made without departing from invention skill spirit or change should be included within protection scope of the present invention.

Claims (4)

1. based on the industry control intruding detection system of PLC emulation, it is characterised in that: this system is by PLC emulation module, control object abnormality detection module and controlled device abnormality detection module composition；

Described PLC emulation module is made up of communication subsystem, SCL linguistic interpretation subsystem, intermediate layer data buffer storage subsystem, enforcement engine subsystem；

Described communication subsystem is connected with industrial control network；The configuration file editted is imported in abnormality detection system by user；The configuration file that system imports according to user is with true PLC communication；According to the cycle set in configuration file, the inputoutput data information on the core position specified in configuration file in PLC is read in circulation, and stores information in the data buffer storage subsystem of intermediate layer；

SCL linguistic interpretation subsystem is connected with intermediate layer data buffer storage subsystem, and the control program code write with SCL language in PLC is imported in native system by user；SCL code is carried out morphology segmentation according to form set in advance by lexical analyzer by system, and according to the form of token, the content after segmentation is passed to syntax analyzer；Syntax analyzer carries out rule-based filtering according to the BNF form set in advance, and legal token combination is passed to interpreter；Interpreter generates intermediate code according to the implication of different token combinations or variable is stored in symbol table, and the implication of token combination is consistent with the meaning of SCL code；Intermediate code and symbol table are stored in the data buffer storage subsystem of intermediate layer；

Enforcement engine subsystem is connected with intermediate layer cache subsystem；After SCL linguistic interpretation subsystem completes the explanation work to importing SCL language, enforcement engine subsystem loads intermediate code and symbol table；By the method for searching loop, intermediate code is performed, and in the process of implementation, according to performing the value of variable in result reindexing table；

The execution result that the result that one section of SCL language program code performs in PLC emulation module coexists in true PLC is consistent；

Control object abnormality detection module is connected with PLC emulation module；If same section of SCL controls final result that program code export in PLC emulation module with the output result difference read out in true PLC, then it is assumed that there occurs Deviant Behavior in controller PLC；Because the 26S Proteasome Structure and Function of PLC sandbox is consistent with true PLC；

Controlled device abnormality detection module is connected with PLC emulation module.

2. the industry control intruding detection system based on PLC emulation according to claim 1, it is characterised in that: PLC emulation module is connected with controlled device detection module with control object abnormality detection module；

The input of PLC emulation module includes the control program code write based on SCL language of controlled device, the inputoutput data of initial configuration file and control object and controlled device；

PLC emulation module determines that by loading configuration file which to obtain controls and controlled device data, and communication subsystem carries out communication and reads, according to the cycle of operation interval set, reading data content, memory address, the data needed；

The data copy that all communication subsystems obtain is transferred to controlled device abnormality detection module, and another copy is transferred to intermediate layer data buffer storage subsystem for updating symbol table；

PLC emulation module loads PID program code, the program code write by SCL language input SCL linguistic interpretation subsystem；SCL language subsystem generates original symbol table and intermediate code through lexical analyzer, syntax analyzer and interpreter, and symbol table and intermediate code are input to intermediate layer data buffer storage subsystem；

Enforcement engine subsystem performs SCL LISP program LISP by the symbol table in the data buffer storage subsystem of loading intermediate layer and intermediate code simulation；Execution result passes to control object abnormality detection module and carries out abnormality detection.

3. according to the industry control intrusion detection method based on PLC emulation of system described in claim 1, it is characterised in that: first pass through PLC emulation module and read the numerical value of input and output sensor in controlled device；Utilize active autoregression model ARMAX to carry out multivariable system identification afterwards and set up plant model；

Y(k)+a₁Y(k-1)+…+a_hY (k-n)=B₀U(k)+B₁U(k-1)+…+B_hU (k-n)+e (k) wherein Y (k) is m dimension output；U (k) is r dimension input；N is r dimension input and the sequence length of m dimension output；K=(n+1) ... (n+N)；E (k) ties up noise for m；a₁,a₂,…,a_hFor dimension of m m scalar parameter to be identified；B₁,B₂,…,B_hFor m × r matrix to be identified；N is time delay；H is the exponent number of model parameter；

$a_{i}Y(k-i)=\left[\begin{array}{cccc}{a}_{11}^i& a_{12}^i& \mathrm{...}& a_{1m}^i\\ a_{21}^i& a_{22}^i& \mathrm{...}& a_{2m}^i\\ .& .& & .\\ .& .& & .\\ .& .& & .\\ a_{m1}^i& a_{m2}^i& \mathrm{...}& a_{mm}^i\end{array}\right]\left[\begin{array}{c}{y}_1(k-1)\\ y_2(k-1)\\ .\\ .\\ .\\ y_m(k-1)\end{array}\right],i\∈\[0,n\]$

$B_{i}U(k-i)=\left[\begin{array}{cccc}{b}_{11}^i& b_{12}^i& \mathrm{...}& b_{1r}^i\\ b_{21}^i& b_{22}^i& \mathrm{...}& b_{2r}^i\\ .& .& & .\\ .& .& & .\\ .& .& & .\\ b_{m1}^i& b_{m2}^i& \mathrm{...}& b_{mr}^i\end{array}\right]\left[\begin{array}{c}{u}_1(k-1)\\ u_2(k-1)\\ .\\ .\\ .\\ u_r(k-1)\end{array}\right],i\∈\[0,n\]$

Therefore, a line j, the j ∈ [1, m] in plant model can be rewritten as

$\begin{array}{c}{y}_i\left(k\right)=-a_{11}^j{y}_1(k-1)-\mathrm{...}-a_{1m}^j{y}_m(k-1)-a_{21}^j{y}_1(k-2)-\mathrm{...}-a_{2m}^j{y}_m\left(k\right)-a_{n1}^j{y}_1(k-n)\\ -\mathrm{...}{a}_{nm}^j{y}_m(k-n)+b_{01}^j{u}_1\left(k\right)+b_{02}^j{u}_2\left(k\right)+\mathrm{...}+b_{0r}^j{u}_r\left(k\right)+b_{11}^j{u}_1(k-1)+b_{12}^j{u}_2(k-1)+\mathrm{...}+\\ b_{1r}^j{u}_r(k-1)+\mathrm{...}+b_{n1}^j{u}_1(k-n)+b_{n2}^j{u}_2(k-n)+\mathrm{...}+b_{nr}^j{u}_r(k-n)+e_j\left(k\right)\end{array}$

N number of matrix can be obtained fom the above equation

$Y_j(k-i)=\left[\begin{array}{c}{y}_1(k-i)\\ y_2(k-1)\\ .\\ .\\ .\\ y_m(k-i)\end{array}\right],i=0,1,\mathrm{...}n,e_j=\left[\begin{array}{c}{e}_j\left(1\right)\\ e_j\left(2\right)\\ .\\ .\\ .\\ e_j\left(N\right)\end{array}\right],U(k-i)=\left[\begin{array}{c}{u}_1(k-i)\\ u_2(k-i)\\ .\\ .\\ .\\ u_r(k-i)\end{array}\right],i=1,\mathrm{2...},n$

${\mathrm{\θ}}_j^T=\left[\begin{array}{ccccccccccccccccc}{a}_{11}^j& \mathrm{...}& a_{nm}^j& \mathrm{...}& a_{n1}^j& \mathrm{...}& a_{nm}^j& b_{01}^j& \mathrm{...}& b_{0r}^j& b_{11}^j& \mathrm{...}& b_{1r}^j& \mathrm{...}& b_{n1}^j& \mathrm{...}& b_{nr}^j\end{array}\right]$

A line j, j ∈ [1, m] in plant model can be rewritten as and be represented by Y_j=H_jθ_j+e_j；Then can be calculated θ with method of least square_jConcordance and unbiasedness estimateMake j=1,2 ..., m can obtain the estimates of parameters of each rowThe ARX model of controlled device can be obtained；a_h,b_hIn exponent number h_a,h_bAIC criterion is utilized to choose；J (j)=J (j-1)+z (j) ε (k),AIC(h_a,h_b) value is a time minimum_h,b_hDetermination exponent number；If D (k) for model estimate value with the error between controlled device actual valueD (k) is carried out inflection point detection by the mode utilizing wavelet decomposition；Db6 wavelet function is adopted to carry out 3 layers of decomposition,Wherein j is the wavelet decomposition number of plies, and K=1000 is the mobile yardstick of small echo, φ_jKFor wavelet scaling function, ψ_jKFor wavelet function ψ_jK=2^-j/2ψ₀(2^-ji-K)；As the high frequency coefficient d decomposited_ig(j thinks that controlled device occurs when there is the point more than 0.3 in k) abnormal.

4. the industry control intrusion detection method based on PLC emulation according to claim 3, it is characterised in that: the execution flow process of the PLC emulation module of this method includes,

Step 21, user reads in control object PLC based on the control program code logic of SCL language development and preserves into file；Program code should comprise variable declarations and logical code two parts；File is imported in PLC emulation module by user；

Step 22, whether whether user will need the control object variable and the title of controlled device sensing data, memory address, the storage class that read, be input variable, be that output variable is stated in initialization files；These variablees all should be saved in PLC；PLC emulates back the real PLC of message reference in stating according to initializing variable and reads the content specified from its internal memory；The initialization files write are imported in PLC emulation module by user；

Step 23, characteristic according to SCL language in the morphology resolver of this method, the key word in SCL language is set as Token, such as if correspondence TokenT_IF, else correspondence T_ELSE, if statement variable, returns V_VARToken；Lexical analyzer can read the character in file, and mates whether meet the Token defined, and as found the then return Token met, otherwise continues coupling；

Step 24, the grammar parser of this religious name adopts BNF form method to carry out formal description according to SCL language rule；SCL language meaning as corresponding in the combination of T_IFT_VART_EQUAL1 is ifvar==1；

Step 25, if grammar parser have found known Token combination according to the Token that morphology resolver obtains, jumps to step 27, otherwise jumps to step 26；

Step 26, there is syntax error in prompting user's SCL program code, asks user to check SCL language program code；

Step 27, the interpreter of this method generates intermediate code opcode according to the Token semantic meaning combined；The principle of Opcode is the relation that instruction code all of in SCL program is converted into binary operation, comprises two operands and operator also has the type of a node in opcode node；

Step 28, if the opcode node type generated is variable, jumps to step 30, and no person jumps to step 29；

Step 29, stores opcode node in intermediate code queue, in order to interpreter transfers to enforcement engine subsystem to perform after completing the explanation work of whole SCL code；

Step 30, if the opcode node type generated is variable, will change to withdraw deposit to variant structural to structure and store up in symbol table；Variant structural body storage name variable, data type and variate-value；Types of variables includes the data type of tetra-kinds of SCL language of REAL, TIME, DWORD, BIT；

Step 31, the variate-value in the PLC symbol table emulated is updated by this method by reading initialization files, and this step reads the input variable in control object PLC and output variable；

Step 32, this step reads the input variable in control target and output variable, will be modeled and detects in incoming for the value read controlled device detection model；

Step 321, carries out buffer memory by the inputoutput data of controlled device, uses for modeling and wavelet decomposition detection；

Step 322, this step judges whether to have built up plant model, if setting up, jumping to step 325 and utilizing the controlled device data obtained to be made directly detection, otherwise jumping to step 323；

Step 323, this step will determine that the setting when length of time series of whether buffer memory meets Initialize installation, if meeting, jumping to step 324, otherwise jumping to step 321；

Step 324, this step will utilize AIC criterion that model order is determined, and chooses the exponent number that modeling uses, and utilizes the controlled device data of exponent number that AIC order selection criteria determines and buffer memory to set up ARX System identification model；

Step 325, this step utilizes the estimated value of the controlled device data computation model output of ARX model and the acquisition set up；Calculate after obtaining estimated value and actual value obtains error amount；

Step 326, utilizes db6 small echo that error amount sequence carries out 3 layers of wavelet decomposition, obtains the high frequency coefficient after decomposing；

Step 327, this step traversal high frequency is washed one's face and rinsed one's mouth sequence, if it find that there is the value more than 0.3 then jump to step 328, otherwise jumps to step 329；

Step 328, there is ANOMALOUS VARIATIONS in the data of this step prompting user's controlled device, and controlled device occurs abnormal；

Step 329, it is normal that this step represents that this performs cycle controlled device, no abnormal state；

Step 33, has been completed the explanation work of SCL code, and is synchronized the input and output object in true control object before this step；This step traversal intermediate code sequence, carries out dizzy counting is calculated according to the operator function specified in intermediate code, and dizzy counting can be constant, variable or another intermediate code sequence；This step is divided into one branch of Liang Ge branch to jump to step 31 continuing cycling through execution after performing to terminate, and another branch jumps to step 34；

Step 34, the execution result of this intermediate code is transferred to control object abnormality detection module and carries out abnormality detection by this step, and generates this abnormality detection result performing the cycle；

Step 341, this step reads the value of calculation of output variable in PLC emulation；

Step 342, the setting according to initialization files of this step, from PLC, read the value of whole output variable；

Step 343, the output variable that PLC simulation calculation is gone out by this step is compared with the output variable value read from true PLC；

Step 344, if comparison unanimously jumps to step 346, otherwise jumps to step 345；

Step 345, if comparison is inconsistent, then it represents that in this execution cycle, true PLC and PLC emulates when input variable is consistent, and difference occurs in output result；Then represent that the execution logic of true PLC occurs abnormal, break down or artificially revise；Will appear from the title of the variable of difference, user is pointed out by variate-value output；

Step 346, if comparison unanimously, represents in this execution cycle, true PLC and PLC emulates when input variable is consistent, and output result is consistent；The control logic of control object PLC is normal.