CN107438052A - A kind of anomaly detection method towards unknown industrial communication protocol stipulations - Google Patents

A kind of anomaly detection method towards unknown industrial communication protocol stipulations Download PDF

Info

Publication number
CN107438052A
CN107438052A CN201610356186.3A CN201610356186A CN107438052A CN 107438052 A CN107438052 A CN 107438052A CN 201610356186 A CN201610356186 A CN 201610356186A CN 107438052 A CN107438052 A CN 107438052A
Authority
CN
China
Prior art keywords
behavior
sequence
communication protocol
industrial communication
events
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610356186.3A
Other languages
Chinese (zh)
Other versions
CN107438052B (en
Inventor
万明
尚文利
赵剑明
曾鹏
于海斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Institute of Automation of CAS
Original Assignee
Shenyang Institute of Automation of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Institute of Automation of CAS filed Critical Shenyang Institute of Automation of CAS
Priority to CN201610356186.3A priority Critical patent/CN107438052B/en
Publication of CN107438052A publication Critical patent/CN107438052A/en
Application granted granted Critical
Publication of CN107438052B publication Critical patent/CN107438052B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of anomaly detection method towards unknown industrial communication protocol stipulations, it is divided into automatic measure on line stage and real-time detection-phase, wherein the automatic measure on line stage mainly completes the analysis and feature extraction to network original communication data, form sequence of events, model is trained using sequence of events as the input of hidden Markov model, the hidden Markov model and behavior probability thresholding of optimization are finally obtained by iteration;Real-time detection-phase carries out behavior probability calculating using the hidden Markov model of optimization to the sequence of events handled in real time, by being contrasted with behavior probability thresholding, completes the abnormality detection to industrial communication behavior.The present invention can be to carrying out legitimacy detection using the industrial communication data flow of unknown industrial communication protocol stipulations, and note abnormalities industrial communication behavior and produces alarm in real time, ensures the Network Communicate Security of industrial control system.

Description

A kind of anomaly detection method towards unknown industrial communication protocol stipulations
Technical field
The present invention relates to industrial control system technical field of network security, it is more particularly to a kind of towards The anomaly detection method of unknown industrial communication protocol stipulations.
Background technology
With the development of modern communicationses, calculating, network and control technology, information technology is continuous with field Developing so that industrialization and information-based fusion have become a kind of inexorable trend of development.As significant Product, the industrial control system of networking obtained the great attention of country, had become following national warp One of Ji and the Strategic planning of social development.However, networking, information-based development are also gradually broken The original intrinsic closure of industrial control system, also exposed day by day comes out information security issue therewith, and is in The trend now to grow in intensity.Why there is many information security hidden danger, an important original in industrial control system Because being exactly that the industrial communication protocol that it is used lacks information security consideration when designing and realizing, lack corresponding Security mechanism.
Therefore, industrial quarters and academia have begun to grind the protecting information safety of industrial control system Study carefully and inquire into.Many attacks currently for industrial control system are mainly leaked with industrial communication protocol Hole is breach, and industry control terminal device is threatened, therefore existing industrial control system security protection side Method is also that expansion research is carried out based on parsing proprietary industrial communication protocol.For example, industrial fireproof wall uses Deep packet analytic technique (Deep Packet Inspection, DPI) industrial communication protocol is carried out profound analysis with Filtering, realizes the access control purpose to industrial communication data flow.Industrial gateway is by using towards proprietary The technology of network isolation of industrial communication protocol, ensure that the secure data of different zones is gathered with exchanging.It is above-mentioned Although safeguard industries control system is not by network attack to a certain extent for two methods, there is also not Foot:First, the rule setting of white list is by being accomplished manually, if safety regulation mistake will be caused by deviation occur; Secondly, as a kind of network security middleware, the real-time operation of system can be had an impact.
Due to do not disturb industrial control system operation real-time and availability on the premise of, can be in network The intrusion behavior of appearance and unauthorized behavior are identified, detected with responding, as a kind of third-party side Road abnormal behaviour monitor method, the abnormality detection technology of industrial control system have become one of study hotspot. The abnormality detection technology of industrial control system can be divided into three classes at present:Statistics-Based Method, knowledge based Method and method based on machine learning.This three classes method is all to analyse in depth the base of industrial communication protocol On plinth, the method for detecting abnormality of industrial communication behavior is simulated, its object is to by using unsupervised or half The self-learning type method of supervision, the normal behaviour model of network service in network control system is built, with One wheel communication behavior is analyzed, so as to discriminate whether to occur communication behavior exception.However, according to work Agreement stipulations and the degree of opening of message format in industry control system, industrial communication protocol can be divided into it is known and The agreement stipulations and message format of unknown two class, wherein known protocol are full disclosures, unknown protocol Agreement stipulations and message format be it is non-come into the open, privatization.The abnormality detection of above-mentioned industrial control system Technology is confined to the method for detecting abnormality research to known industrial communication protocol stipulations mostly, is seldom related to not Know the abnormality detection research of industrial communication protocol stipulations.
The content of the invention
In view of this, it is an object of the invention to provide a kind of abnormal row towards unknown industrial communication protocol stipulations For detection method, this method meets the thought of " depth defense ", solves industrial control system fragility and peace Full test problems, ensure the safe operation of industrial control system.
The further object of the present invention is to provide a kind of abnormal behaviour towards unknown industrial communication protocol stipulations and examined Survey method, for the agreement stipulations and the industrial communication of message format non-publicization used in industrial control system Agreement, the feature extraction to communication session is completed, the training abnormality detection model of self-learning type, is realized real-time Discovery with the exceptional communication behavior in detection industrial control system, key foundation in safeguard industries control system The safety of facility.
The used to achieve the above object technical scheme of the present invention is:It is a kind of towards unknown industrial communication protocol The anomaly detection method of stipulations, including with the next stage:
Stage one, automatic measure on line stage:Communication data packet in industrial control network, Ran Houjin are captured first Line number Data preprocess generates sequence of events, and the initial parameter optimized by parameter optimization, finally utilizes The hidden Markov model of sequence of events and the training of the initial parameter of optimization based on event, while determine that behavior is general Rate thresholding;
Stage two, real-time detection-phase:Capture communication data packet in industrial control network in real time first, carry out Data prediction generates the sequence of events for representing a certain session, then inputs sequence of events to the hidden Ma Er Can husband's model, using Forward algorithms, calculate the behavior probability of this sequence of events, finally by result of calculation with Behavior probability thresholding is compared, and realizes the abnormality detection of industrial communication behavior.
Communication data packet is to use agreement stipulations and the undocumented industry of message format in the industrial control network The packet that communication protocol is communicated.
The data prediction includes procedure below:
Session recombinates, it is necessary first to passes through quaternary group information<Source IP, purpose IP, source port, destination interface> Session identification is formed, for determining a session, the data of same session then will be belonged to according to session identification Bag is reconfigured;
Data load merges, and the data load information of application layer in the packet reconfigured is extracted, by described The packet arrival time sequencing reconfigured merges the data load content belonged in same session, structure Into conversation message;
Feature extraction, using N-gram models, it will byte sequence is mapped to a limited spy in words message Levy space;
Cluster analysis, the feature of extraction is clustered using K-means algorithms, whole feature space is drawn It is divided into multiple clusters, each cluster is referred to as a kind of event.
In the session restructuring, the judgment criterion of a conversation end is as follows:If in setting time interval There is not having the data communication that same session identifies, then it is assumed that this session has terminated, hereafter if there is The data communication of same session mark, then open a new session.
The setting time interval can be adjusted according to specific network traffic conditions.
The parameter optimization uses the initial parameter of genetic algorithm optimization hidden Markov model, the initial ginseng Number specifically includes:Initial state probability vector, state transition probability matrix and observed value probability matrix.
The hidden Markov model training process based on event is as follows:
Step 1:Initial model is established using genetic algorithm optimization parameter;
Step 2:According to initial model and the sequence of events of input, new using Baum-Welch Algorithm for Training Hidden Markov model;
Step 3:Using Forward algorithms calculate respectively this sequence of events new hidden Markov model and before The behavior probability of hidden Markov model;
Step 4:If the continuous m difference for behavior probability twice occur is less than default threshold value, terminate to instruct Practice, wherein m is defined number of comparisons;Conversely, go to step 2.
The behavior probability thresholding be the m behavior probability calculated when hidden Markov model is trained most Small value.
It is described by result of calculation compared with behavior probability thresholding, realize the abnormality detection of industrial communication behavior, Specially:Likelihood ratio is carried out compared with if the behavior probability of this sequence of events is less than behavior probability thresholding, judging Control in network service and abnormal, generation alarm occur.
The present invention has advantages below and beneficial effect:
1. through as shown from the above technical solution, compared with prior art, the present disclosure provides one kind towards The anomaly detection method of unknown industrial communication protocol stipulations, this method can be applicable with the foundation of self-learning type The exceptional communication in the abnormality detection model of unknown industrial communication protocol stipulations, Real time identification industrial control system Behavior, the security of industrial control system network service is ensured.
2. the inventive method be directed to using unknown industrial communication protocol stipulations communication data packet conversate restructuring, The operations such as data load merging, feature extraction and cluster analysis so that each session interaction of industrial communication Sequence of events sequence description can be used, each sequence of events also represent industrial control system once Communication behavior.
3. the inventive method belongs to a kind of third-party bypass abnormal behaviour monitor method, without being concatenated into industry In the network of control system, the intrusion behavior occurred in network and unauthorized behavior can be identified and Alarm, the real-time and availability of constant interference industrial control system operation.
Brief description of the drawings
Fig. 1 is application deployment schematic diagram of the inventive method under typical industry Control System NetWork framework;
Fig. 2 is the basic model schematic diagram of the inventive method;
Fig. 3 is data prediction implementation procedure embodiment schematic diagram in the inventive method;
Fig. 4 is the hidden Markov model training process schematic diagram based on event of the inventive method;
The real-time detection implementation procedure schematic diagram of Fig. 5 the inventive method.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear Chu, it is fully described by, it is clear that described embodiment is only part of the embodiment of the present invention, rather than Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation Property work under the premise of the every other embodiment that is obtained, belong to the scope of protection of the invention.
The method of the present invention belongs to the category of industrial control system information security.As a kind of third-party bypass Monitor method, Fig. 1 show that this method applies deployment diagram under typical industry Control System NetWork framework. Shown in Figure 1, this method can be deployed on the mirror port of the industrial control system network switch, led to Cross capture in real time and analyze the communication data packet that mirror port is replicated, do not disturb industrial control system to run On the premise of real-time and availability, this method can operate to not meeting industrial control system normal process The intrusion behavior of journey, unauthorized behavior either maloperation behavior are identified and alarmed, and ensure Industry Control The Network Communicate Security of system.
The invention provides a kind of anomaly detection method towards unknown industrial communication protocol stipulations.Referring to Fig. 2, show a kind of the basic of anomaly detection method towards unknown industrial communication protocol stipulations of the invention Model, the model are broadly divided into automatic measure on line stage and real-time detection-phase, wherein automatic measure on line stage The analysis and feature extraction to network original communication data are mainly completed, sequence of events is formed, by sequence of events Input as hidden Markov model is trained to model, and the hidden Ma Er of optimization is finally obtained by iteration Can husband's model and behavior probability thresholding;Real-time detection-phase is using the hidden Markov model of optimization to place in real time The sequence of events of reason carries out behavior probability calculating, by being contrasted with behavior probability thresholding, completes to industrial communication The abnormality detection of behavior.
Referring to Fig. 3, show that automatic measure on line stage and real-time detection-phase data prediction perform in this method Process embodiments schematic diagram, specific implementation procedure are as follows:
First, conversate restructuring.Communication data packet in capture industrial control system network in real time, by number Reconfigured according to bag according to time order and function order.In session regrouping process, by packet<Source IP, mesh IP, source port, destination interface>Unique identification is carried out to each session.The judgement of one conversation end Criterion is as follows:If in τsessionThere is no the data communication with same session mark occur in time interval, then Think that this session has terminated, hereafter communicated if there is the data of same session mark, then open one it is new Session.Wherein τsessionCan specifically it be set according to the actual flow situation of network.
Secondly, data load merging is carried out.For each session, extract in session in each packet The data load information of application layer, merge the data load content belonged in same session, form conversation message. The criterion that data load merges is as follows:If the time interval time of two packets is less than τpacket, then by two The data load of individual packet merges.Generally, there is τsessionpacket.Wherein, τpacketCan be according to net The actual flow situation of network is specifically set.
Again, feature extraction is carried out.Although the content of unknown protocol is private, control based on network System often periodically repeats same technological process, therefore has between the conversation message of different sessions Very big similitude, by establishing N-gram models, it will words message in byte sequence be mapped to one it is limited Feature space (because the network size of network control system is limited, communications status is limited, either " work( Can field " definition of still " address field " is typically all without more than 2 bytes, therefore in N-gram moulds Intend choosing N=2 in type), the sequence descriptions of all features compositions concrete meaning of conversation message in feature space.
Finally, cluster analysis is carried out.Because the feature space original dimensions by N-gram mappings are very big, because This reduces the dimension of feature space using clustering method, so as to improve hidden Markov to a certain extent The efficiency and accuracy of model training.Feature is clustered using K-means algorithms, whole feature is empty Between be divided into multiple clusters, the characteristic similarity in same cluster is larger, and the characteristic similarity in different clusters is smaller, Here each cluster is referred to as a kind of event by us, and to sum up, the session interaction of unknown protocol can be with a series of Sequence of events describes, and each sequence of events can be seen as an industrial control system communication behavior.
Referring to Fig. 4, the hidden Markov model training process embodiment based on event in the inventive method is shown Schematic diagram.By the use of the sequence of events that industrial control system proper communication data are formed as input, with iteration Mode trains the hidden Markov model based on event, establishes completely normal control system moving model.Tool Body training step is as follows:
Step 1:It is general using the initial parameter of genetic algorithm optimization hidden Markov model, including initial state Rate vector, state transition probability matrix and observed value probability matrix, then establish hidden Ma Er using initial parameter Can husband's model initial model λ0
Step 2:According to model λ0It is new using Baum-Welch Algorithm for Training with the sequence of events O of input Hidden Markov model λ;
Step 3:Using Forward algorithms calculate respectively this sequence of events in new hidden Markov model λ and A preceding hidden Markov model λ0Behavior probability p (O | λ) and p (O | λ0);
Step 4:If continuous m appearance | and logp (O | λ)-logp (O | λ0)|<δ, wherein δ are default threshold value, Then terminate algorithm, obtain the hidden Markov model λ of optimizationKWith the behavior probability thresholding K of sequence of events, its Middle behavior probability thresholding is the minimum value of the m behavior probability calculated when hidden Markov model is trained.
Step 5:Conversely, make λ0=λ, goes to step 2.
Referring to Fig. 5, the implementation procedure schematic diagram detected in real time in the inventive method is shown.Detection uses in real time Hidden Markov model detection mechanism, in certain observation sequence of events X and the hidden Markov of optimization Model λKUnder conditions of calculate behavior probability p (X | λK), by p (X | λK) and behavior probability thresholding K be compared to each other, Judge whether exception occur.Comprise the following steps that:
Step 1:Data are pre-processed by the communication data in capture control system in real time, including session Restructuring merges with data load, feature extraction and cluster analysis, generation represent the sequence of events X of a certain session;
Step 2:Sequence of events X is substituted into the hidden Markov model λ of optimizationK, using Forward algorithms, Calculate this sequence of events behavior probability p (X | λK);
Step 3:Carry out likelihood ratio compared with, if p (X | λK)<K, then there is abnormal, production in control system communication Raw alarm, otherwise, goes to step 1.

Claims (9)

  1. A kind of 1. anomaly detection method towards unknown industrial communication protocol stipulations, it is characterised in that bag Include with the next stage:
    Stage one, automatic measure on line stage:Communication data packet in industrial control network, Ran Houjin are captured first Line number Data preprocess generates sequence of events, and the initial parameter optimized by parameter optimization, finally utilizes The hidden Markov model of sequence of events and the training of the initial parameter of optimization based on event, while determine that behavior is general Rate thresholding;
    Stage two, real-time detection-phase:Capture communication data packet in industrial control network in real time first, carry out Data prediction generates the sequence of events for representing a certain session, then inputs sequence of events to the hidden Ma Er Can husband's model, using Forward algorithms, calculate the behavior probability of this sequence of events, finally by result of calculation with Behavior probability thresholding is compared, and realizes the abnormality detection of industrial communication behavior.
  2. A kind of 2. unusual checking towards unknown industrial communication protocol stipulations according to claim 1 Method, it is characterised in that communication data packet is to use agreement stipulations and message lattice in the industrial control network The packet that the undocumented industrial communication protocol of formula is communicated.
  3. A kind of 3. unusual checking towards unknown industrial communication protocol stipulations according to claim 1 Method, it is characterised in that the data prediction includes procedure below:
    Session recombinates, it is necessary first to passes through quaternary group information<Source IP, purpose IP, source port, destination interface> Session identification is formed, for determining a session, the data of same session then will be belonged to according to session identification Bag is reconfigured;
    Data load merges, and the data load information of application layer in the packet reconfigured is extracted, by described The packet arrival time sequencing reconfigured merges the data load content belonged in same session, structure Into conversation message;
    Feature extraction, using N-gram models, it will byte sequence is mapped to a limited spy in words message Levy space;
    Cluster analysis, the feature of extraction is clustered using K-means algorithms, whole feature space is drawn It is divided into multiple clusters, each cluster is referred to as a kind of event.
  4. A kind of 4. unusual checking towards unknown industrial communication protocol stipulations according to claim 3 Method, it is characterised in that in the session restructuring, the judgment criterion of a conversation end is as follows:If There is no the data communication with same session mark occur in setting time interval, then it is assumed that this session has terminated, Hereafter communicated if there is the data of same session mark, then open a new session.
  5. A kind of 5. unusual checking towards unknown industrial communication protocol stipulations according to claim 4 Method, it is characterised in that the setting time interval can be adjusted according to specific network traffic conditions.
  6. A kind of 6. unusual checking towards unknown industrial communication protocol stipulations according to claim 1 Method, it is characterised in that the parameter optimization uses the initial ginseng of genetic algorithm optimization hidden Markov model Number, the initial parameter specifically include:Initial state probability vector, state transition probability matrix and observed value Probability matrix.
  7. A kind of 7. unusual checking towards unknown industrial communication protocol stipulations according to claim 1 Method, it is characterised in that the hidden Markov model training process based on event is as follows:
    Step 1:Initial model is established using genetic algorithm optimization parameter;
    Step 2:According to initial model and the sequence of events of input, new using Baum-Welch Algorithm for Training Hidden Markov model;
    Step 3:Using Forward algorithms calculate respectively this sequence of events new hidden Markov model and before The behavior probability of hidden Markov model;
    Step 4:If the continuous m difference for behavior probability twice occur is less than default threshold value, terminate to instruct Practice, wherein m is defined number of comparisons;Conversely, go to step 2.
  8. A kind of 8. unusual checking towards unknown industrial communication protocol stipulations according to claim 1 Method, it is characterised in that the behavior probability thresholding is the m calculated when hidden Markov model is trained The minimum value of secondary behavior probability.
  9. A kind of 9. unusual checking towards unknown industrial communication protocol stipulations according to claim 1 Method, it is characterised in that it is described by result of calculation compared with behavior probability thresholding, realize industrial communication The abnormality detection of behavior, it is specially:Likelihood ratio is carried out compared with if the behavior probability of this sequence of events is less than behavior Probability threshold, then judge occur abnormal, generation alarm in control network service.
CN201610356186.3A 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification Active CN107438052B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610356186.3A CN107438052B (en) 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610356186.3A CN107438052B (en) 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification

Publications (2)

Publication Number Publication Date
CN107438052A true CN107438052A (en) 2017-12-05
CN107438052B CN107438052B (en) 2019-10-25

Family

ID=60453326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610356186.3A Active CN107438052B (en) 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification

Country Status (1)

Country Link
CN (1) CN107438052B (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107102223A (en) * 2017-03-29 2017-08-29 江苏大学 NPC photovoltaic DC-to-AC converter method for diagnosing faults based on improved hidden Markov model GHMM
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN108881255A (en) * 2018-06-29 2018-11-23 长扬科技(北京)有限公司 A method of based on C&C communications status transition detection Botnet
CN109688030A (en) * 2019-02-26 2019-04-26 百度在线网络技术(北京)有限公司 Message detecting method, device, equipment and storage medium
CN109889538A (en) * 2019-03-20 2019-06-14 中国工商银行股份有限公司 User's anomaly detection method and system
WO2019128938A1 (en) * 2017-12-29 2019-07-04 北京神州绿盟信息安全科技股份有限公司 Method for extracting feature string, device, network apparatus, and storage medium
CN110149346A (en) * 2019-06-12 2019-08-20 上海观安信息技术股份有限公司 The detection method and system of exceptional instructions in a kind of electric power networks
CN110460458A (en) * 2019-04-15 2019-11-15 清华大学深圳研究生院 Based on multistage markovian Traffic anomaly detection method
CN110535878A (en) * 2019-09-23 2019-12-03 电子科技大学 A kind of threat detection method based on sequence of events
CN111600863A (en) * 2020-05-08 2020-08-28 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN111935085A (en) * 2020-06-30 2020-11-13 物耀安全科技(杭州)有限公司 Method and system for detecting and protecting abnormal network behaviors of industrial control network
CN112688946A (en) * 2020-12-24 2021-04-20 工业信息安全(四川)创新中心有限公司 Method, module, storage medium, device and system for constructing abnormality detection features
CN113098837A (en) * 2021-02-19 2021-07-09 中国科学院信息工程研究所 Industrial firewall state detection method and device, electronic equipment and storage medium
CN113315781A (en) * 2021-06-10 2021-08-27 浙江惠瀜网络科技有限公司 HMM model-based abnormal data detection method
WO2021219468A1 (en) * 2020-04-30 2021-11-04 British Telecommunications Public Limited Company Network anomaly identification
CN113852515A (en) * 2021-08-26 2021-12-28 西安电子科技大学广州研究院 Node state control method and system of digital twin network
CN114124447A (en) * 2021-10-12 2022-03-01 杭州电子科技大学 Intrusion detection method and device based on Modbus data packet recombination
CN116016298A (en) * 2023-01-04 2023-04-25 重庆邮电大学 5G communication protocol anomaly detection method based on hidden semi-Markov model

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
US20080140589A1 (en) * 2006-12-06 2008-06-12 Microsoft Corporation Active learning framework for automatic field extraction from network traffic
CN101707532A (en) * 2009-10-30 2010-05-12 中山大学 Automatic analysis method for unknown application layer protocol

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080140589A1 (en) * 2006-12-06 2008-06-12 Microsoft Corporation Active learning framework for automatic field extraction from network traffic
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101707532A (en) * 2009-10-30 2010-05-12 中山大学 Automatic analysis method for unknown application layer protocol

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
何中阳 等: "基于隐马尔可夫模型的协议识别技术", 《信息工程大学学报》 *
韩景灵: "基于协议的隐马尔可夫网络入侵检测系统研究", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107102223A (en) * 2017-03-29 2017-08-29 江苏大学 NPC photovoltaic DC-to-AC converter method for diagnosing faults based on improved hidden Markov model GHMM
WO2019128938A1 (en) * 2017-12-29 2019-07-04 北京神州绿盟信息安全科技股份有限公司 Method for extracting feature string, device, network apparatus, and storage medium
US11379687B2 (en) 2017-12-29 2022-07-05 Nsfocus Technologies Group Co., Ltd. Method for extracting feature string, device, network apparatus, and storage medium
CN108737410B (en) * 2018-05-14 2021-04-13 辽宁大学 Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN108737410A (en) * 2018-05-14 2018-11-02 辽宁大学 A kind of feature based is associated limited to know industrial communication protocol anomaly detection method
CN108881255A (en) * 2018-06-29 2018-11-23 长扬科技(北京)有限公司 A method of based on C&C communications status transition detection Botnet
CN109688030A (en) * 2019-02-26 2019-04-26 百度在线网络技术(北京)有限公司 Message detecting method, device, equipment and storage medium
CN109889538A (en) * 2019-03-20 2019-06-14 中国工商银行股份有限公司 User's anomaly detection method and system
CN109889538B (en) * 2019-03-20 2021-09-21 中国工商银行股份有限公司 User abnormal behavior detection method and system
CN110460458A (en) * 2019-04-15 2019-11-15 清华大学深圳研究生院 Based on multistage markovian Traffic anomaly detection method
CN110460458B (en) * 2019-04-15 2022-03-11 清华大学深圳研究生院 Flow anomaly detection method based on multi-order Markov chain
CN110149346A (en) * 2019-06-12 2019-08-20 上海观安信息技术股份有限公司 The detection method and system of exceptional instructions in a kind of electric power networks
CN110535878A (en) * 2019-09-23 2019-12-03 电子科技大学 A kind of threat detection method based on sequence of events
CN110535878B (en) * 2019-09-23 2021-03-30 电子科技大学 Threat detection method based on event sequence
WO2021219468A1 (en) * 2020-04-30 2021-11-04 British Telecommunications Public Limited Company Network anomaly identification
CN111600863A (en) * 2020-05-08 2020-08-28 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN111600863B (en) * 2020-05-08 2022-09-13 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN111935085A (en) * 2020-06-30 2020-11-13 物耀安全科技(杭州)有限公司 Method and system for detecting and protecting abnormal network behaviors of industrial control network
CN112688946B (en) * 2020-12-24 2022-06-24 工业信息安全(四川)创新中心有限公司 Method, module, storage medium, device and system for constructing abnormality detection features
CN112688946A (en) * 2020-12-24 2021-04-20 工业信息安全(四川)创新中心有限公司 Method, module, storage medium, device and system for constructing abnormality detection features
CN113098837A (en) * 2021-02-19 2021-07-09 中国科学院信息工程研究所 Industrial firewall state detection method and device, electronic equipment and storage medium
CN113098837B (en) * 2021-02-19 2022-08-23 中国科学院信息工程研究所 Industrial firewall state detection method and device, electronic equipment and storage medium
CN113315781A (en) * 2021-06-10 2021-08-27 浙江惠瀜网络科技有限公司 HMM model-based abnormal data detection method
CN113852515A (en) * 2021-08-26 2021-12-28 西安电子科技大学广州研究院 Node state control method and system of digital twin network
CN113852515B (en) * 2021-08-26 2023-05-09 西安电子科技大学广州研究院 Node state management and control method and system for digital twin network
CN114124447A (en) * 2021-10-12 2022-03-01 杭州电子科技大学 Intrusion detection method and device based on Modbus data packet recombination
CN114124447B (en) * 2021-10-12 2024-02-02 杭州电子科技大学 Intrusion detection method and device based on Modbus data packet reorganization
CN116016298A (en) * 2023-01-04 2023-04-25 重庆邮电大学 5G communication protocol anomaly detection method based on hidden semi-Markov model
CN116016298B (en) * 2023-01-04 2024-04-09 重庆邮电大学 5G communication protocol anomaly detection method based on hidden semi-Markov model

Also Published As

Publication number Publication date
CN107438052B (en) 2019-10-25

Similar Documents

Publication Publication Date Title
CN107438052A (en) A kind of anomaly detection method towards unknown industrial communication protocol stipulations
WO2020143226A1 (en) Industrial control system intrusion detection method based on integrated learning
CN108737410B (en) Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN110120948B (en) Illegal external connection monitoring method based on wireless and wired data stream similarity analysis
CN104348829B (en) A kind of network security situation sensing system and method
CN107241224A (en) The network risks monitoring method and system of a kind of transformer station
CN110619587B (en) Method and system for foundation pit monitoring intelligent early warning and data evidence storage
CN107835201A (en) Network attack detecting method and device
KR101375813B1 (en) Active security sensing device and method for intrusion detection and audit of digital substation
CN110324323B (en) New energy plant station network-related end real-time interaction process anomaly detection method and system
CN104331072A (en) Information security risk assessment method oriented to typical metallurgy process control system
CN106200615B (en) A kind of intelligent track-traffic early warning implementation method based on incidence relation
CN107104960A (en) A kind of industrial control system intrusion detection method based on machine learning
CN108667834A (en) Network security situational awareness method based on artificial immunity and grey relational grade analysis
CN108076053A (en) A kind of real-time traffic towards wireless internet of things is intercepted and abnormity early warning system and method
CN109639756A (en) A kind of terminal network incidence relation is shown and equipment accesses real-time monitoring system
CN105871861B (en) A kind of intrusion detection method of self study protocol rule
CN109150920A (en) A kind of attack detecting source tracing method based on software defined network
CN105867347A (en) Trans-space cascade fault detection method based on machine learning technology
CN115277113A (en) Power grid network intrusion event detection and identification method based on ensemble learning
CN110266680A (en) A kind of industrial communication method for detecting abnormality based on dual similarity measurement
CN112261042A (en) Anti-seepage system based on attack hazard assessment
CN113259367B (en) Industrial control network flow multistage anomaly detection method and device
CN111586075A (en) Hidden channel detection method based on multi-scale stream analysis technology
CN110086829A (en) A method of Internet of Things unusual checking is carried out based on machine learning techniques

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant