CN107438052B - A kind of anomaly detection method towards unknown industrial communication protocol specification - Google Patents

A kind of anomaly detection method towards unknown industrial communication protocol specification Download PDF

Info

Publication number
CN107438052B
CN107438052B CN201610356186.3A CN201610356186A CN107438052B CN 107438052 B CN107438052 B CN 107438052B CN 201610356186 A CN201610356186 A CN 201610356186A CN 107438052 B CN107438052 B CN 107438052B
Authority
CN
China
Prior art keywords
sequence
behavior
events
session
hidden markov
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610356186.3A
Other languages
Chinese (zh)
Other versions
CN107438052A (en
Inventor
万明
尚文利
赵剑明
曾鹏
于海斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Institute of Automation of CAS
Original Assignee
Shenyang Institute of Automation of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Institute of Automation of CAS filed Critical Shenyang Institute of Automation of CAS
Priority to CN201610356186.3A priority Critical patent/CN107438052B/en
Publication of CN107438052A publication Critical patent/CN107438052A/en
Application granted granted Critical
Publication of CN107438052B publication Critical patent/CN107438052B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Abstract

The invention discloses a kind of anomaly detection methods towards unknown industrial communication protocol specification, it is divided into automatic measure on line stage and real-time detection stage, wherein the automatic measure on line stage mainly completes the analysis and feature extraction to network original communication data, form sequence of events, model is trained using sequence of events as the input of hidden Markov model, the hidden Markov model and behavior probability thresholding of optimization are finally obtained by iteration;The real-time detection stage carries out behavior probability calculating to the sequence of events handled in real time using the hidden Markov model of optimization, by comparing with behavior probability thresholding, completes the abnormality detection to industrial communication behavior.The present invention can carry out legitimacy detection to the industrial communication data flow for using unknown industrial communication protocol specification, and note abnormalities industrial communication behavior and generates alarm in real time, ensures the Network Communicate Security of industrial control system.

Description

A kind of anomaly detection method towards unknown industrial communication protocol specification
Technical field
The present invention relates to industrial control system technical field of network security, and more particularly to one kind is towards unknown work The anomaly detection method of industry communication protocol specification.
Background technique
With the development of modern communications, calculating, network and control technology, information technology uses the continuous developing in field, makes The inexorable trend for having become a kind of development with information-based fusion must be industrialized.As significant product, the work of networking Industry control system obtained country great attention, have become the following national economy and social development Strategic planning it One.However, the original intrinsic closure of industrial control system, letter therewith have also gradually been broken in networking, information-based development Also exposed day by day comes out breath safety problem, and the trend to grow in intensity is presented.Why industrial control system there are all multi informations Security risk, a major reason are exactly that its industrial communication protocol used lacks information security consideration in design and realization, Lack corresponding security mechanism.
The protecting information safety of industrial control system is studied and visited for this purpose, industry and academia have begun It begs for.At present for many attacks of industrial control system mainly using industrial communication protocol loophole as breach, to work Control terminal equipment threatens, therefore existing industrial control system safety protecting method is also to parse proprietary industrial communication association Expansion research is carried out based on view.For example, industrial fireproof wall uses deep packet analytic technique (Deep Packet Inspection, DPI) profound analysis and filtering are carried out to industrial communication protocol, realize the visit to industrial communication data flow Ask control purpose.Industrial gateway has ensured different zones by using the technology of network isolation towards proprietary industrial communication protocol Secure data acquisition and exchange.Although above two method to a certain extent do not attacked by network by safeguard industries control system It hits, but there is also insufficient: firstly, the rule setting of white list is by being accomplished manually, if deviation occur will lead to safety regulation Mistake;Secondly, can be had an impact to the real-time operation of system as a kind of network security middleware.
It, can be to occurring in network due to not interfering industrial control system operation real-time and under the premise of availability Intrusion behavior and unauthorized behavior are identified, detected and are responded, as a kind of third-party bypass abnormal behaviour monitoring side The abnormality detection technology of method, industrial control system has become one of research hotspot.The abnormality detection of industrial control system at present Technology can be divided into three classes: Statistics-Based Method, Knowledge based engineering method and the method based on machine learning.These three types of methods It is all to simulate the method for detecting abnormality of industrial communication behavior on the basis of analysing in depth industrial communication protocol, its object is to By using unsupervised or semi-supervised self-learning type method, the normal behaviour of network communication in network control system is constructed Model is compared and analyzed with next round communication behavior, to discriminate whether communication behavior exception occur.However, according to industry The degree of opening of agreement specification and message format in control system, industrial communication protocol can be divided into known and unknown two class, The agreement specification and message format of middle known protocol are full disclosure, the agreement specification and message format right and wrong of unknown protocol It is coming into the open, privatization.The abnormality detection technology of above-mentioned industrial control system is confined to mostly to known industrial communication protocol The method for detecting abnormality of specification is studied, and the abnormality detection research of unknown industrial communication protocol specification is seldom related to.
Summary of the invention
In view of this, the object of the present invention is to provide a kind of unusual checkings towards unknown industrial communication protocol specification Method, this method meet the thought of " depth defense ", solve the problems, such as industrial control system fragility and safety detection, ensure industry The safe operation of control system.
The further object of the present invention is to provide a kind of unusual checking side towards unknown industrial communication protocol specification Method is completed for the industrial communication protocol of agreement specification and message format non-publicization used in industrial control system to logical Believe the feature extraction of session, the training abnormality detection model of self-learning type realizes discovery in real time and detection industrial control system In exceptional communication behavior, the safety of critical infrastructures in safeguard industries control system.
Present invention technical solution used for the above purpose is: a kind of towards unknown industrial communication protocol specification Anomaly detection method, including with the next stage:
In the stage one, the automatic measure on line stage: then it is pre- to carry out data for communication data packet in capture industrial control network first It handles and generates sequence of events, and the initial parameter optimized by parameter optimization, finally utilize sequence of events and optimize first Hidden Markov model of the beginning parameter training based on event, while determining behavior probability thresholding;
In the stage two, the real-time detection stage: communication data packet in capture industrial control network, progress data are located in advance in real time first Reason generates the sequence of events for representing a certain session, and sequence of events is then input to the hidden Markov model, utilizes Forward algorithm calculates the behavior probability of this sequence of events, is finally compared calculated result with behavior probability thresholding, real The abnormality detection of existing industrial communication behavior.
Communication data packet is using agreement specification and the undocumented industrial communication of message format in the industrial control network The data packet that agreement is communicated.
The data prediction includes following procedure:
Session recombination, it is necessary first to pass through quaternary group information<source IP, destination IP, source port, destination port>form session Mark, for determining a session, then reconfigures the data packet for belonging to same session according to session identification;
Data load merges, and extracts the data load information of application layer in the data packet reconfigured, by the group again The data packet arrival time sequencing of conjunction merges the data load content belonged in same session, constitutes conversation message;
Feature extraction, using N-gram model, it will byte sequence is mapped to a limited feature space in words message;
Clustering is clustered using feature of the K-means algorithm to extraction, entire feature space is divided into multiple Cluster, each cluster are known as a kind of event.
In the session recombination, the judgment criterion of a conversation end is as follows: if without going out in setting time interval Data communication now with same session mark, then it is assumed that this session has terminated, hereafter if there is the number of same session mark According to communication, then a new session is opened.
The setting time interval can be adjusted according to specific network traffic conditions.
The parameter optimization uses the initial parameter of genetic algorithm optimization hidden Markov model, and the initial parameter is specific It include: initial state probability vector, state transition probability matrix and observed value probability matrix.
The hidden Markov model training process based on event is as follows:
Step 1: initial model is established using genetic algorithm optimization parameter;
Step 2: according to the sequence of events of initial model and input, using the new hidden Ma Er of Baum-Welch algorithm training It can husband's model;
Step 3: this sequence of events is calculated separately in new hidden Markov model and preceding primary using Forward algorithm The behavior probability of hidden Markov model;
Step 4: if the continuous m times difference for behavior probability twice occur is less than preset threshold value, terminate to train, wherein m For defined number of comparisons;Conversely, going to step 2.
The behavior probability thresholding is the minimum value of the m behavior probability calculated in hidden Markov model training.
It is described to be compared calculated result with behavior probability thresholding, realize the abnormality detection of industrial communication behavior, specifically Are as follows: probability comparison is carried out, if the behavior probability of this sequence of events is less than behavior probability thresholding, judges to control in network communication It is now abnormal, generate alarm.
The present invention has the following advantages and beneficial effects:
1. as can be seen from the above technical solutions, compared with prior art, the present disclosure provides one kind towards unknown work The anomaly detection method of industry communication protocol specification, this method can be assisted with the foundation of self-learning type suitable for unknown industrial communication The abnormality detection model of specification is discussed, exceptional communication behavior in industrial control system is identified in real time, has ensured industrial control system net The safety of network communication.
It is conversated recombination, data 2. the method for the present invention is directed to using the communication data packet of unknown industrial communication protocol specification The operations such as load merges, feature extraction and clustering, so that each session interaction of industrial communication can be with a series of Sequence of events description, each sequence of events also represent a communication behavior of industrial control system.
3. the method for the present invention belongs to a kind of third-party bypass abnormal behaviour monitor method, without being concatenated into Industry Control system In the network of system, the intrusion behavior and unauthorized behavior occurred in network can be identified and be alarmed, constant interference work The real-time and availability of industry control system operation.
Detailed description of the invention
Fig. 1 is application deployment schematic diagram of the method for the present invention under typical industry Control System NetWork framework;
Fig. 2 is the basic model schematic diagram of the method for the present invention;
Fig. 3 is data prediction implementation procedure embodiment schematic diagram in the method for the present invention;
Fig. 4 is the hidden Markov model training process schematic diagram based on event of the method for the present invention;
The real-time detection implementation procedure schematic diagram of Fig. 5 the method for the present invention.
Specific embodiment
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts every other Embodiment shall fall within the protection scope of the present invention.
Method of the invention belongs to the scope of industrial control system information security.As a kind of third-party monitor bypass side Method, Fig. 1 show this method and apply deployment diagram under typical industry Control System NetWork framework.It is shown in Figure 1, this method It can be deployed on the mirror port of the industrial control system network switch, be replicated by capturing and analyzing mirror port in real time Communication data packet, not interfering industrial control system operation real-time and under the premise of availability, this method can be to not being inconsistent Close the intrusion behavior of industrial control system normal process operating process, unauthorized behavior either maloperation behavior carry out identification and Alarm, ensures the Network Communicate Security of industrial control system.
The present invention provides a kind of anomaly detection methods towards unknown industrial communication protocol specification.Referring to fig. 2, show A kind of basic model of anomaly detection method towards unknown industrial communication protocol specification of the invention is gone out, the model is main It is divided into automatic measure on line stage and real-time detection stage, wherein the automatic measure on line stage mainly completes to network original communication data Analysis and feature extraction, formed sequence of events, model is instructed using sequence of events as the input of hidden Markov model Practice, the hidden Markov model and behavior probability thresholding of optimization are finally obtained by iteration;The real-time detection stage utilizes optimization Hidden Markov model carries out behavior probability calculating to the sequence of events handled in real time, complete by comparing with behavior probability thresholding The abnormality detection of pairs of industrial communication behavior.
Referring to Fig. 3, automatic measure on line stage and real-time detection phase data pretreatment implementation procedure in this method are shown Embodiment schematic diagram, specific implementation procedure are as follows:
Firstly, the recombination that conversates.In real time capture industrial control system network in communication data packet, by data packet according to Chronological order reconfigures.In session regrouping process, by data packet < source IP, destination IP, source port, destination Mouthful > unique identification is carried out to each session.The judgment criterion of one conversation end is as follows: if in τsessionTime interval The interior data communication without occurring that there is same session to identify, then it is assumed that this session has terminated, hereafter if there is same session The data communication of mark then opens a new session.Wherein τsessionIt can specifically be set according to the actual flow situation of network It is fixed.
Secondly, carrying out data load merging.For each session, application layer in each data packet is extracted in session Data load information merges the data load content belonged in same session, constitutes conversation message.The criterion that data load merges It is as follows: if the time interval time of two data packets is less than τpacket, then the data load of two data packets is merged.Generally In the case of, there is τsessionpacket.Wherein, τpacketIt can specifically be set according to the actual flow situation of network.
Again, feature extraction is carried out.Although the content of unknown protocol be it is private, network control system is often Same process flow is periodically repeated, therefore has very big similitude between the conversation message of different sessions, is passed through Establish N-gram model, it will byte sequence is mapped to a limited feature space (due to control based on network system in words message The network size of system is limited, communications status is limited, and the definition of either " function field " still " address field " generally all will not More than 2 bytes, therefore intend choosing N=2 in N-gram model), the sequence description of all features compositions in feature space The concrete meaning of conversation message.
Finally, carrying out clustering.Since the feature space original dimensions by N-gram mapping are very big, using poly- Alanysis method reduces the dimension of feature space, to improve the efficiency and standard of hidden Markov model training to a certain extent True property.Feature is clustered using K-means algorithm, entire feature space is divided into multiple clusters, the spy in the same cluster Sign similitude is larger, and the characteristic similarity in different clusters is smaller, each cluster is known as a kind of event by us here, to sum up, not Know that the session interaction of agreement can use sequence of events sequence description, each sequence of events can be seen as an industry control system System communication behavior.
Referring to fig. 4, the hidden Markov model training process embodiment signal in the method for the present invention based on event is shown Figure.The sequence of events formed using industrial control system normal communication data is as input, and training is based on thing in an iterative manner The hidden Markov model of part establishes completely normal control system moving model.Specific training step is as follows:
Step 1: using the initial parameter of genetic algorithm optimization hidden Markov model, including initial state probability vector, State transition probability matrix and observed value probability matrix, then establish the initial model of hidden Markov model using initial parameter λ0
Step 2: according to model λ0With the sequence of events O of input, new hidden Ma Erke is trained using Baum-Welch algorithm Husband's model λ;
Step 3: this sequence of events is calculated separately in new hidden Markov model λ and preceding primary using Forward algorithm Hidden Markov model λ0Behavior probability p (O | λ) and p (O | λ0);
Step 4: if continuous m appearance | and logp (O | λ)-logp (O | λ0) | < δ, wherein δ is preset threshold value, then terminates Algorithm obtains the hidden Markov model λ of optimizationKWith the behavior probability thresholding K of sequence of events, wherein behavior probability thresholding be The minimum value of m behavior probability calculated when hidden Markov model training.
Step 5: conversely, enabling λ0=λ, goes to step 2.
Referring to Fig. 5, the implementation procedure schematic diagram of real-time detection in the method for the present invention is shown.Real-time detection uses hidden horse Er Kefu model inspection mechanism, in the hidden Markov model λ of certain observation sequence of events X and optimizationKUnder conditions of count Calculation behavior probability p (X | λK), by p (X | λK) and behavior probability thresholding K be compared to each other, judge whether to occur abnormal.Specific steps are such as Under:
Step 1: the communication data in capture control system in real time pre-processes data, including session recombination and number Merge according to load, feature extraction and clustering, generation represent the sequence of events X of a certain session;
Step 2: sequence of events X is substituted into the hidden Markov model λ of optimizationK, using Forward algorithm, calculate this thing Part sequence behavior probability p (X | λK);
Step 3: carrying out probability comparison, if p (X | λKThen there is abnormal, generation alarm in) < K in control system communication, no Then, step 1 is gone to.

Claims (6)

1. a kind of anomaly detection method towards unknown industrial communication protocol specification, which is characterized in that including with the next stage:
In the stage one, the automatic measure on line stage: then communication data packet in capture industrial control network first carries out data prediction Sequence of events, and the initial parameter optimized by parameter optimization are generated, the initial ginseng of sequence of events and optimization is finally utilized Hidden Markov model of the number training based on event, while determining behavior probability thresholding;
In the stage two, the real-time detection stage: communication data packet in capture industrial control network, progress data prediction are raw in real time first Cheng represents the sequence of events of a certain session, and sequence of events is then input to the hidden Markov model, is calculated using Forward Method calculates the behavior probability of this sequence of events, is finally compared calculated result with behavior probability thresholding, realizes industrial communication The abnormality detection of behavior;
The data prediction includes following procedure:
Session recombination, it is necessary first to pass through quaternary group information<source IP, destination IP, source port, destination port>session identification is formed, For determining a session, then the data packet for belonging to same session is reconfigured according to session identification;The session In recombination, the judgment criterion of a conversation end is as follows: if without occurring having same session mark in setting time interval The data communication of knowledge, then it is assumed that this session has terminated, and hereafter if there is the data communication of same session mark, then opens one New session;
Data load merges, and extracts the data load information of application layer in the data packet reconfigured, reconfigures by described Data packet arrival time sequencing merges the data load content belonged in same session, constitutes conversation message;
Feature extraction, using N-gram model, it will byte sequence is mapped to a limited feature space in words message;
Clustering, is clustered using feature of the K-means algorithm to extraction, and entire feature space is divided into multiple clusters, Each cluster is known as a kind of event;
The hidden Markov model training process based on event is as follows:
Step 1: initial model is established using genetic algorithm optimization parameter;
Step 2: according to the sequence of events of initial model and input, using the new hidden Markov of Baum-Welch algorithm training Model;
Step 3: this sequence of events is calculated separately in new hidden Markov model and preceding primary hidden horse using Forward algorithm The behavior probability of Er Kefu model;
Step 4: if the continuous m times difference for behavior probability twice occur is less than preset threshold value, terminate to train, wherein m is rule Fixed number of comparisons;Conversely, going to step 2.
2. a kind of anomaly detection method towards unknown industrial communication protocol specification according to claim 1, special Sign is that communication data packet is assisted using agreement specification and the undocumented industrial communication of message format in the industrial control network Discuss the data packet communicated.
3. a kind of anomaly detection method towards unknown industrial communication protocol specification according to claim 1, special Sign is that the setting time interval can be adjusted according to specific network traffic conditions.
4. a kind of anomaly detection method towards unknown industrial communication protocol specification according to claim 1, special Sign is that the parameter optimization uses the initial parameter of genetic algorithm optimization hidden Markov model, and the initial parameter is specific It include: initial state probability vector, state transition probability matrix and observed value probability matrix.
5. a kind of anomaly detection method towards unknown industrial communication protocol specification according to claim 1, special Sign is, the behavior probability thresholding is the minimum value of the m behavior probability calculated in hidden Markov model training.
6. a kind of anomaly detection method towards unknown industrial communication protocol specification according to claim 1, special Sign is, described to be compared calculated result with behavior probability thresholding, realizes the abnormality detection of industrial communication behavior, specifically Are as follows: probability comparison is carried out, if the behavior probability of this sequence of events is less than behavior probability thresholding, judges to control in network communication It is now abnormal, generate alarm.
CN201610356186.3A 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification Active CN107438052B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610356186.3A CN107438052B (en) 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610356186.3A CN107438052B (en) 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification

Publications (2)

Publication Number Publication Date
CN107438052A CN107438052A (en) 2017-12-05
CN107438052B true CN107438052B (en) 2019-10-25

Family

ID=60453326

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610356186.3A Active CN107438052B (en) 2016-05-26 2016-05-26 A kind of anomaly detection method towards unknown industrial communication protocol specification

Country Status (1)

Country Link
CN (1) CN107438052B (en)

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107102223A (en) * 2017-03-29 2017-08-29 江苏大学 NPC photovoltaic DC-to-AC converter method for diagnosing faults based on improved hidden Markov model GHMM
CN108234347B (en) * 2017-12-29 2020-04-07 北京神州绿盟信息安全科技股份有限公司 Method, device, network equipment and storage medium for extracting feature string
CN108737410B (en) * 2018-05-14 2021-04-13 辽宁大学 Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN108881255B (en) * 2018-06-29 2020-11-13 长扬科技(北京)有限公司 Method for detecting botnet based on C & C communication state conversion
CN109688030B (en) * 2019-02-26 2020-11-03 百度在线网络技术(北京)有限公司 Message detection method, device, equipment and storage medium
CN109889538B (en) * 2019-03-20 2021-09-21 中国工商银行股份有限公司 User abnormal behavior detection method and system
CN110460458B (en) * 2019-04-15 2022-03-11 清华大学深圳研究生院 Flow anomaly detection method based on multi-order Markov chain
CN110149346A (en) * 2019-06-12 2019-08-20 上海观安信息技术股份有限公司 The detection method and system of exceptional instructions in a kind of electric power networks
CN110535878B (en) * 2019-09-23 2021-03-30 电子科技大学 Threat detection method based on event sequence
EP4143711A1 (en) * 2020-04-30 2023-03-08 British Telecommunications public limited company Network anomaly identification
CN111600863B (en) * 2020-05-08 2022-09-13 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN111935085A (en) * 2020-06-30 2020-11-13 物耀安全科技(杭州)有限公司 Method and system for detecting and protecting abnormal network behaviors of industrial control network
CN112688946B (en) * 2020-12-24 2022-06-24 工业信息安全(四川)创新中心有限公司 Method, module, storage medium, device and system for constructing abnormality detection features
CN113098837B (en) * 2021-02-19 2022-08-23 中国科学院信息工程研究所 Industrial firewall state detection method and device, electronic equipment and storage medium
CN113315781B (en) * 2021-06-10 2023-03-24 浙江惠瀜网络科技有限公司 HMM model-based abnormal data detection method
CN113852515B (en) * 2021-08-26 2023-05-09 西安电子科技大学广州研究院 Node state management and control method and system for digital twin network
CN114124447B (en) * 2021-10-12 2024-02-02 杭州电子科技大学 Intrusion detection method and device based on Modbus data packet reorganization
CN116016298B (en) * 2023-01-04 2024-04-09 重庆邮电大学 5G communication protocol anomaly detection method based on hidden semi-Markov model

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101707532A (en) * 2009-10-30 2010-05-12 中山大学 Automatic analysis method for unknown application layer protocol

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7650317B2 (en) * 2006-12-06 2010-01-19 Microsoft Corporation Active learning framework for automatic field extraction from network traffic

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101060444A (en) * 2007-05-23 2007-10-24 西安交大捷普网络科技有限公司 Bayesian statistical model based network anomaly detection method
CN101707532A (en) * 2009-10-30 2010-05-12 中山大学 Automatic analysis method for unknown application layer protocol

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于协议的隐马尔可夫网络入侵检测系统研究;韩景灵;《中国优秀硕士学位论文全文数据库 信息科技辑》;20080615(第6期);正文第32-38页第五章第5.1-5.5节 *
基于隐马尔可夫模型的协议识别技术;何中阳 等;《信息工程大学学报》;20111031;第12卷(第5期);摘要、正文第2.4节,图1 *

Also Published As

Publication number Publication date
CN107438052A (en) 2017-12-05

Similar Documents

Publication Publication Date Title
CN107438052B (en) A kind of anomaly detection method towards unknown industrial communication protocol specification
WO2020143226A1 (en) Industrial control system intrusion detection method based on integrated learning
CN110011999B (en) IPv6 network DDoS attack detection system and method based on deep learning
Zolanvari et al. Effect of imbalanced datasets on security of industrial IoT using machine learning
CN108737410B (en) Limited knowledge industrial communication protocol abnormal behavior detection method based on feature association
CN109391700B (en) Internet of things security cloud platform based on depth flow sensing
Kwon et al. IEEE 1815.1-based power system security with bidirectional RNN-based network anomalous attack detection for cyber-physical system
CN105208037B (en) A kind of DoS/DDoS attack detectings and filter method based on lightweight intrusion detection
WO2016082284A1 (en) Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-profile model
CN110120948B (en) Illegal external connection monitoring method based on wireless and wired data stream similarity analysis
CN107241224A (en) The network risks monitoring method and system of a kind of transformer station
CN106411562A (en) Electric power information network safety linkage defense method and system
CN110535878B (en) Threat detection method based on event sequence
CN105867347B (en) Cross-space cascading fault detection method based on machine learning technology
CN109768952A (en) A kind of industry control network anomaly detection method based on trust model
CN108076053A (en) A kind of real-time traffic towards wireless internet of things is intercepted and abnormity early warning system and method
CN111586075B (en) Hidden channel detection method based on multi-scale stream analysis technology
CN106357470A (en) Quick sensing method for network threat based on SDN controller
CN114330544A (en) Method for establishing business flow abnormity detection model and abnormity detection method
CN112149120A (en) Transparent transmission type double-channel electric power Internet of things safety detection system
CN108712369B (en) Multi-attribute constraint access control decision system and method for industrial control network
CN105871861B (en) A kind of intrusion detection method of self study protocol rule
CN110266680A (en) A kind of industrial communication method for detecting abnormality based on dual similarity measurement
CN111669411B (en) Industrial control equipment abnormity detection method and system
CN112261009B (en) Network intrusion detection method for railway dispatching centralized system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant